LSA Denial of Service

Reported December 16, 1999 by
Network Associates
VERSIONS AFFECTED
  • Windows NT Workstation 4.0
  • Windows NT Server 4.0
  • Windows NT Server 4.0, Enterprise Edition
  • Windows NT Server 4.0, Terminal Server Edition

DESCRIPTION

According to the report released by NAI, "The Local Security Authority is the center of the Windows NT security subsystem. The LSA is a user-mode process (LSASS.EXE) used to maintain security information of a system known as the Local Security Policy.

The Local Security Policy is stored in the registry and includes such
information as who has permission to access the system, who is
assigned privileges and what security auditing is performed.

The majority of the security subsystem components run within the
context of the LSASS process, including the Security Accounts Manager (SAM) that is responsible for maintaining the SAM database stored in the registry. Also the default authentication package (MSV1_0.DLL) that determines whether username and password match information stored in the SAM database.

In addition other user-mode processes request services from the LSA
such as the login process (WINLOGON.EXE) to authenticate username and passwords that are entered when interactive users logon and logoff.

Also, the network logon service (SERVICES.EXE) which responds to
network logon requests also utilizes the LSA to verify
authentication.

Disrupting the Local Security Authority halts almost all user-mode
security authentication requiring a Windows NT host to be restarted.

Windows NT provides the ability to open and manipulate the LSA
through an series of APIs. To programmatically manage the Local
Security Policy of a local or remote system a session is established
with that system"s Local Security Authority. If a session is successfully established an LSA Policy handle will be returned for
usage in all subsequent API calls.

One specific API LsaLookupSids() utilizes the LSA to map one or more
SIDs of user accounts, group accounts, alias accounts or domains to
names. Invalid arguments passed to this API are incorrectly verified
causing the LSA process to reference invalid memory resulting in an
application error.

VENDOR RESPONSE

Microsoft is aware of this issue adn has released a FAQ, Support Online article Q248185, and patches for Intel and Alpha platforms

CREDITS
Discovered by
NAI