BugTraq
Securify bulletin: Microsoft Active Directory Denial-of-service Jun 13 2008 04:44PM
Securify Bulletins (bulletins Securify com) (1 replies)
SECURIFY Bulletin: Active Directory Denial-of-service
=====================================================

I. SUMMARY:

SECURIFY has discovered a denial-of-service vulnerability in Microsoft
Active Directory (AD) in which a domain user sending a specially-crafted
LDAP request causes the Active Directory server to initiate a controlled
restart. Specific products and versions affected and the hotfixes for
them are detailed in Microsoft Security Bulletin MS08-035 (953235).
This vulnerability has been assigned CVE-2008-1445.

II. SYMPTOMS:

After receiving the LDAP request, the AD server returns a partial list
of the requested data to the client. After an additional minute or so,
the Windows initiates a controlled restart with a 60-second countdown
timer. The shutdown dialog box displays status code -1073741819.

After restarting, errors similar to the following are found in the
application event log:

Type: Error
Source: Application Error
Category: (100)
Event ID: 1000
Description: Faulting application lsass.exe, version <version>,
faulting module authz.dll, version <version>, fault address
0x00001d8f

Type: Error
Source: Winlogon
Category: None
Event ID: 1015
Description: A critical system process,
C:\Windows\system32\lsass.exe,
failed with status code c0000005. The machine must now be
restarted.

Type: Information
Source: Application Error
Category: (100)
Event ID: 1004
Description: Reporting queued error:
Faulting application lsass.exe, version <version>,
faulting module authz.dll, version <version>, fault address
0x00001d8f

Errors similar to the following are recorded in the Directory Service
event log:

Type: Error
Source: NTDS General
Category: Internal Processing
Event ID: 1168
Description: Internal error: An Active Directory error has occurred.
Additional Data:
Error value (decimal): 8411
Error value (hex): 20db
Internal ID: 3151e4a

Type: Warning
Source: NTDS General
Category: Internal Processing
Event ID: 1173
Description: Internal event: Active Directory has encountered the
following
exception and associated parameters:
Exception: c0000005
Parameter: 0
Additional Data:
Error value: 76c41d8f
Internal ID: 0

III. SOLUTION:

Apply the hotfix referenced in the Microsoft bulletin.

IV. WORKAROUNDS:

Block TCP ports 389 and 3268 to your Active Directory server from
untrusted sources.

V. ADDITIONAL DETAILS:

The special LDAP request that triggered the restart was a byproduct of
internal development work and was provided to Microsoft immediately upon
discovery. No further research into this vulnerability has been
conducted by SECURIFY.

VI. TIMELINE:

2007-12-08 Initial contact and response from Microsoft PSS
2007-12-27 Initial contact attempt to Microsoft Security Response
Center
2008-01-08 Second contact attempt to Microsoft Security Response
Center
2008-02-11 Initial response from Microsoft Security Response Center
2008-06-10 Hotfix made publicly available by Microsoft

VII. REFERENCES:

Microsoft Security Bulletin MS08-035 (953235)
(http://www.microsoft.com)

CVE-2008-1445 (http://cve.mitre.org/)

VIII. CREDIT:

John Guzik, SECURIFY, INC
Alex Matthews, SECURIFY, INC

IX. About SECURIFY:

http://www.securify.com/

Securify's identity-driven, network-based approach leverages existing
infrastructures to deliver a cost-effective way to discover and control
access and behavior broadly across networks as well as systems.

[ reply ]
RE: Securify bulletin: Microsoft Active Directory Denial-of-service Jun 13 2008 06:31PM
Michael Wojcik (Michael Wojcik MicroFocus com)


 

Privacy Statement
Copyright 2010, SecurityFocus