Reported October 3, 2000 by Bindview RAZOR

VERSIONS AFFECTED
  • Windows NT, Windows 2000

DESCRIPTION

Multiple vulnerabilities have been discovered in the implementation of LPC ports.  These vulnerabilities range from denial of service attacks to privilege escalation and effect Windows NT up to and including service pack 6a and Windows 2000 up to and including service pack 1.

Mostly undocumented, LPC ports are used as an inter-process communication mechanism by Windows NT and Windows 2000.

DEMONSTRATION

The first vulnerability affects Windows NT 4.0 up to and including service pack 6a only.  By discovering the pid, tid, and mid or an outstanding connection request a malicious user is able to hijack the connection by supplying a LPC_MSG with the correct pid, tid, and mid parameters.  

The second vulnerability is also a Windows NT 4.0 SP6.0a issue.  By modifying the first vulnerability an attacker could cause a blue screen of death (BSOD) 

The third vulnerability, also effecting only Windows NT 4.0 SP6.0a, is another denial of service attack resulting in a blue screen of death.  If a client connects to a specific LPC process and sends garbage text the Windows NT machine will suffer from a  BSOD.

Vulnerability number four affects both Windows NT and Windows 2000.  This vulnerability can be used for a variety of denial of service attacks and could even be exploited to gain privileges.

The fifth vulnerability is somewhat similar to a previous LPC Ports vulnerability also reported by Bindview RAZOR.  A malicious user could exploit a flaw in LPC ports and impersonate any arbitrary process gaining elevated privileges.  This is possible on both Windows NT and Windows 2000.  Not only could an attacker elevate his privileges, a similar vulnerability can also be used to read and write to any other process.

Finally, the sixth and last vulnerability, a denial of service can be performed on both Windows NT and Windows 2000.  By exploiting the design of LPC ports a malicious user could cause all available memory to be consumed.

Complete information plus proof of concept code has been made available at; http://razor.bindview.com/publish/advisories

VENDOR RESPONSE

Microsoft has released a security bulletin, MS00-070 available at;  http://www.microsoft.com/technet/security/bulletin/MS00-070.asp

Microsoft has also released hot-fixes available at; http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24650 and for Windows 2000; http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24649

CREDIT
Discovered by
Todd Sabin, Bindview RAZOR Team