REPOST: A damaging local DoS in WinNT SP6a

[hypoclear <hypoclear () jungle net>]

Before reading below, note that this is only 
possbile with write access to the winnt/system32 
directory.  As many have told me already today 
that if that dir is open to read access there are 
many more problems...  I have found that in many 
corporate/school/etc. networks which run WinNT, 
leave the system32 directory open.  Maybe the 
issue really isn't what I have presented, however 
I thought this particular vulnerability was fixed 
after SP4.  Now apparantly instead of allowing 
anyone access to the system, it trashes it.  The 
program NT4ALL has been available for a few 
years...

I'm only bringing this to light, because I think 
it could pose as a threat to many networks which 
run NT.  If anyone disagrees then just disregard.


The attached advisory can also be found at:
http://hypoclear.cjb.net/hypo_nt_dos.txt


---

        [[:hypoclear security advisory:]]


Vendor   :  Microsoft | http://www.microsoft.com
Product  :  Windows NT SP6a (and lower?)
Category :  Local DoS
Date     :  08-03-01


CONTENTS
1. Overview
2. Details
3. Exploit
4. Possible Solution
5. Vendor Response
6. Credits
7. Contact
8. Disclaimer


1. Overview:

WindowsNT SP6a is subject to a local Denial of 
Service (DoS) attack, upon running "NT4ALL".
This particular vulnerability has the potential to 
permanently damage the workstation/server,
because no users are able to "log on" to the 
computer after NT4ALL is run.



2. Details:

NT4ALL is a program written by 9 
(nine1001 () yahoo com) and was originaly an exploit 
against
WindowsNT SP4.  It's goal is to "Let all the users 
logon into the NT machine with any password 
they type from the local NT machine or from other 
computers in the same domain."  It has been
available publically for a few years.

When running NT4ALL the user (with write access to 
/winnt/system32) can either put the computer,
into NT4ALL's "SPECIAL" or "NORMAL" mode.  Putting 
a WindowsNT machine running SP6a into SPECIAL
mode and rebooting, causes the machine to not 
allow anyone (including Adminisrators)
access to the computer.

No login's are allowed because the NT system 
service "lsass.exe" crashes everytime the machine 
is
rebooted and the login window pops-up.

After attempting to repair the computer with the 
WindowsNT cd-rom the machine would allow logins,
however the machine ran EXTREMELY slow.  All 
available CPU ticks were being consumed by 
"SERVICES.EXE" and "lsass.exe".

NOTE: ***If testing this vulnerability it is 
highly recommended that you backup all your data 
or 
test on an unused machine.  In all my tests after 
running NT4ALL the computer will be virtually 
useless!***

This vulnerability has the potential to be very 
harmful, because NT4ALL can run quite invisibly,
and if the payload is attached to a 
self-replicating email (like many macro virus's), 
it could
render a mass of workstations useless.

Here are links to download NT4ALL from Packet 
Storm Security:
Newer version of NT4ALL:
http://packetstormsecurity.org/NT/hack/nt4all-101.
zip

Original version of NT4ALL:
http://packetstormsecurity.org/NT/hack/nt4all.zip

(All tests were done with the original version of 
NT4ALL)



3. Exploit

Run NT4ALL once (should put the machine in SPECIAL 
mode).  
Note: You can run NT4ALL with the /t option to 
verify that SPECIAL mode is on.
Reboot.
The computer will no longer allow ANYONE 
(including administrators) to log in.
The problem does not seem to be reversed no matter 
how many reboots are attempted.

If attempting to repair the OS with the Windows NT 
cdrom, the computer will allow for
logins, but run VERY slow.  (All CPU ticks are 
taken by SERVICES.EXE and lsass.exe).



4. Possible Solution

Disable write access to the winnt/system32/ 
directory for all users except the Adminsitrator,
until a vendor solution is provided.



5. Vendor Response

07-19-01: Problem sent to the Microsoft Security 
Response Center (MSRC), security () microsoft com
          They respond to the problem within a few 
hours.

07-23-01: After a few days of communication with 
MSRC they suggest I sent the problem to Microsoft
          Product Support Services (MPSS) because 
it is more of a stability issue.
          I sent the issue to MPSS via the URL 
http://support.microsoft.com/directory/feedback/en
try.asp,
          as suggested by MSRC.

07-30-01: After no response from MPSS I resend the 
problem and state that I planed to release an 
advisory
          on the problem within the next few days.

08-03-01: No response has been recieved from MPSS, 
so this advisory is being released.

An attempt has also been made to contact 9 about 
the NT4ALL program, after my original discovery, 
but 
he (she?) did not respond.




6. Credits

Actual credit here goes to 9, because he (she?) 
wrote the NT4ALL program.  All I did was be stupid 
enough
to run it and screw up one of my systems ;-)



7. Contact

Advisory written by hypoclear.
email     : hypoclear () jungle net
home page : http://hypoclear.cjb.net



8. Disclaimer

This advisory remains the property of hypoclear.
This advisory can be freely distributed in any 
form.  
If this advisory is distributed it must remain in 
its entirety.
Hypoclear is not responsible of any use/misuse of 
this advisory.

This and all of hypoclear's releases fall under 
his disclaimer, 
which can be found at: 
http://hypoclear.cjb.net/hypodisclaim.txt