lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: security at nsfocus.com (NSFOCUS Security Team)
Subject: NSFOCUS SA2004-01 : DoS Vulnerability in Microsoft Windows SPNEGO Protocol Decoding

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Topic:  DoS Vulnerability in Microsoft Windows SPNEGO Protocol Decoding

Release Date: 2004-04-14

CVE CAN ID: CAN-2004-0119

http://www.nsfocus.com/english/homepage/research/0401.htm

Affected Software and Systems:
===================
- - Microsoft Windows XP
- - Microsoft Windows 2000
- - Microsoft Windows 2003

Unaffected Software and Systems:
===================
- - Microsoft Windows 9x
- - Microsoft Windows NT

Summary:
=========

NSFOCUS Security Team has found there is a remote DoS vulnerability in the
SPNEGO protocol decoding function of Microsoft Windows system. Exploiting
the vulnerability remote attackers could cause Windows system to crash or
malfunction.

Description:
============

Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) protocol is used
to negotiate which security mechanism should be adopted. Windows system
 allows various authentication mechanisms, it also uses SPNEGO protocol to
 implement the authentication mechanism negotiation between the clients and
 servers.

There is a security vulnerability when Windows system handles SPNEGO protocol
codes, which allows attackers to launch DoS attacks.

When a carefully crafted SPNEGO NegTokenInit request is sent, a null pointer
reference error might occur in LSASRV.DLL, resulting in LSASS.EXE crash. This
will make all the operations related to system authentication (such as
remote access to SMB share, or interactive local login) unavailable. For
Windows 2003, it will result in automatic shutting off or bluescreen.

Attackers can launch attacks through any service that uses SPNEGO, such as
TCP port 139, 445. By default IIS also negotiates which authentication
protocol  (for example, NTLM, Kerberos, etc)should be adopted by SPNEGO,
therefore, it's possible for attackers to launch attacks through IIS.

- From vendor's response the same type of malformed request could still
have triggered a buffer overflow issue in the subsequent code, if they were
to have only fixed the DoS issue.
Vendor's patch fixes both the DoS and buffer overflow issues.


Workaround:
=============

* Restrict access to the following ports from untrusted IPs at the firewall:

    445/UDP
    139/TCP
    445/TCP

 * For the system that is providing WEB service through IIS, either of the
   following methods can be used to mitigate the threat:

    1. Disable "Integrated windows authentication" in IIS service

    2. Disable authentication negotiation. Only allow authentication
       through NTLM by the following command:

       cscript adsutil.vbs set w3svc/NTAuthenticationProviders "NTLM"

       adsutil.vbs can be found in the adminscripts directory of IIS.
       More detail is available at:
       http://support.microsoft.com/?id=215383

Vendor Status:
==============

2004.02.19  Informed the vendor
2004.02.19  Vendor confirmed the vulnerability
2004.04.13  Microsoft released a security bulletin (MS04-011) and relative
            patches for the vulnerability.

Detailed information for the Microsoft security bulletin is available at:
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

Additional Information:
========================

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2004-0119 to this issue. This is a candidate for inclusion in the
CVE list (http://cve.mitre.org), which standardizes names for security
problems. Candidates may change significantly before they become official
CVE entries.

Acknowledgment:
===============

The vulnerability was found by Chen Qing of NSFOCUS Security Team.

DISCLAIMS:
==========
THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY
OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED,
EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENT SHALL NSFOCUS
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
DISTRIBUTION OR REPRODUCTION OF THE INFORMATION IS PROVIDED THAT THE
ADVISORY IS NOT MODIFIED IN ANY WAY.

Copyright 1999-2004 NSFOCUS. All Rights Reserved. Terms of use.


NSFOCUS Security Team <security@...ocus.com>
NSFOCUS INFORMATION TECHNOLOGY CO.,LTD
(http://www.nsfocus.com)

PGP Key: http://www.nsfocus.com/homepage/research/pgpkey.asc
Key fingerprint = F8F2 F5D1 EF74 E08C 02FE  1B90 D7BF 7877 C6A6 aF6DA

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFAfQid1794d8am9toRAgZPAJ4oK0WsPHkNZfGXmC6gFLtt1lPoAwCeOyKC
b12vDNxRHHb/rhfZkm5IDTU=
=e1nI
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists