TUCoPS :: Windows :: krnl217.htm

WinNT 4.0 kernel local DoS 
COMMAND

    kernel

SYSTEMS AFFECTED

    WinNT 4.0

PROBLEM

    Following  is  based  on  a  Hypoclear  security advisory.  Before
    reading below, note that this  is only possbile with write  access
    to the  winnt/system32 directory.   If that  dir is  open to  read
    access there  are many  more problems...   We have  found that  in
    many  corporate/school/etc.  networks  which  run WinNT, leave the
    system32 directory open.   Maybe the issue  really isn't what  has
    been presented  below, however  this particular  vulnerability was
    fixed after SP4.  Now apparantly instead of allowing anyone access
    to  the  system,  it  trashes  it.   The  program  NT4ALL has been
    available for a few years...

    WindowsNT  SP6a  is  subject  to  a  local Denial of Service (DoS)
    attack, upon running "NT4ALL".  This particular vulnerability  has
    the  potential  to  permanently  damage  the   workstation/server,
    because  no  users  are  able  to  "log  on" to the computer after
    NT4ALL is run.

    NT4ALL is  a program  written by  9 and  was originaly  an exploit
    against WindowsNT SP4.  It's goal  is to "Let all the users  logon
    into the  NT machine  with any  password they  type from the local
    NT machine or from  other computers in the  same domain."  It  has
    been available publically for a few years.

    When   running   NT4ALL   the   user   (with   write   access   to
    /winnt/system32)  can  either  put  the  computer,  into  NT4ALL's
    "SPECIAL" or "NORMAL" mode.   Putting a WindowsNT machine  running
    SP6a into SPECIAL  mode and rebooting,  causes the machine  to not
    allow anyone (including Adminisrators) access to the computer.

    No login's are allowed  because the NT system  service "lsass.exe"
    crashes everytime  the machine  is rebooted  and the  login window
    pops-up.

    After attempting to repair the computer with the WindowsNT  cd-rom
    the machine would allow logins, however the machine ran  EXTREMELY
    slow.    All  available   CPU  ticks   were  being   consumed   by
    "SERVICES.EXE" and "lsass.exe".

    If testing this  vulnerability it is  highly recommended that  you
    backup all your data or test  on an unused machine.  In  all tests
    after running NT4ALL the computer will be virtually useless!

    This vulnerability has the  potential to be very  harmful, because
    NT4ALL can run quite invisibly, and if the payload is attached  to
    a  self-replicating  email  (like  many  macro  virus's), it could
    render a mass of workstations useless.

    Here are links to download NT4ALL from Packet Storm Security:

        http://packetstormsecurity.org/NT/hack/nt4all-101.zip
        http://packetstormsecurity.org/NT/hack/nt4all.zip

    (All tests were done with the original version of NT4ALL)

    So, run NT4ALL once (should put the machine in SPECIAL mode).  You
    can run NT4ALL with the /t  option to verify that SPECIAL mode  is
    on.  Reboot.  The computer will no longer allow ANYONE  (including
    administrators)  to  log  in.   The  problem  does  not seem to be
    reversed no matter how many reboots are attempted.

    If attempting  to repair  the OS  with the  Windows NT  cdrom, the
    computer  will  allow  for  logins,  but  run VERY slow.  (All CPU
    ticks are taken by SERVICES.EXE and lsass.exe).

    Actual credit here goes to  9, because he (she?) wrote  the NT4ALL
    program.

SOLUTION

    Disable  write  access  to  the  winnt/system32/ directory for all
    users  except  the  Adminsitrator,  until  a  vendor  solution  is
    provided.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH