• IDP Daily Update #1164
  posted: 05/09/08
  
• NSM Daily Update #1164
  posted: 05/09/08
  
• Deep Inspection 5.3r5 and above, 5.4, 6.0 #1164
  posted: 05/09/08
  
• Deep Inspection 5.1, 5.2, 5.3r4 and below #1155
  posted: 05/09/08
  
• Deep Inspection 5.0 #1132
  posted: 04/01/08
  
• Antivirus
  posted: 05/09/08

Text Size:        

• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Microsoft Windows LSASS Buffer Overrun Vulnerability

Severity: CRITICAL

Description:

Microsoft Windows LSASS (Local Security Authority Subsystem Service) is prone to a remotely exploitable stack-based buffer overrun vulnerability. This service provides various operating system facilities such as client/server local and domain authentication and support for Active Directory features.

It is possible to trigger this condition by sending a malformed message to the service, which could occur remotely or locally via a component that passes information to LSASS. The specific vulnerable system component is LSASRV.DLL. This issue is present within the Active Directory service functions which are exposed through the LSASS DCE/RPC endpoint. The vulnerable functionality is reportedly accessible over the LSARPC named pipe via TCP ports 139 and 445, though other RPC-related TDP/UDP ports should not be ruled out. The cause of the issue is insufficient bounds checking by vsprintf() calls in the DsRolepLogPrintRoutine() API within Active Directory debug logging facilities. There are particular RPC functions that will accept excessive user-specified input to be passed to the vulnerable calls when the logs are written. The log file created by the logging facilities is entitled "DCPROMO.LOG" in the Windows "debug" subdirectory.

There are a few factors that may complicate this vulnerability under normal circumstances. In particular, if the output directory for the debug log file is on an NTFS file system, it may not be written to by an unprivileged user and the execution path required to exploit this issue will not be followed. Specifically, the RpcImpersonateClient() API may be called when exploitation occurs and if this fails then the log may not be written. However, there are some ways to circumvent the call to the RpcImpersonateClient() API. Through the undocumented DsRolerUpgradeDownlevelServer() function on Windows 2000 and XP, it is possible to circumvent the problematic API call to pass malicious data directly to the affected vsprintf() routine by calling the DsRolepInitializeLog() API directly. As a result, DsRolerUpgradeDownlevelServer() may be used to trigger the overrun both locally and across the network.

Successful exploitation of this issue could allow a remote attacker to execute malicious code on a vulnerable system, resulting in full system compromise.

This issue could be exploited by an anonymous user on Microsoft Windows 2000 and XP operating systems. The issue may reportedly only be exploited by local, authenticated users on Microsoft Windows Server 2003 and Microsoft Windows XP 64-Bit Edition 2003. Microsoft has stated that a local administrator could exploit the issue on these platforms, though this does not appear to pose any additional security risk since the administrator will likely already have complete control over the system. Symantec is investigating this detail and this BID will be updated when further information regarding local exploitation on these platforms is available.

** A worm exploiting this vulnerability is currently in the wild named W32.Sasser.Worm (MCID 2911). The worm does not appear to contain any malicious payload but is spreading rapidly.

** Exploit code has been released that targets a buffer overrun in the FTPD component, via TCP port 5554, of W32.Sasser.Worm (and variants). This exploit is designed to allow attackers to gain remote access to hosts that have been compromised by variants of the worm.

** Update (05/13/2004): A worm, tentatively named W32.Dabber.Worm (MCID 2955), has been discovered in the wild that exploits the buffer overflow vulnerability in the FTP server implemented by W32.Sasser.Worm. The worm installs a backdoor on infected hosts.

Affected Products:

• Avaya DefinityOne Media Servers
• Avaya IP600 Media Servers
• Avaya S3400 Message Application Server
• Avaya S8100 Media Servers
• Microsoft Windows 2000 Advanced Server
• Microsoft Windows 2000 Advanced Server SP1
• Microsoft Windows 2000 Advanced Server SP2
• Microsoft Windows 2000 Advanced Server SP3
• Microsoft Windows 2000 Advanced Server SP4
• Microsoft Windows 2000 Datacenter Server
• Microsoft Windows 2000 Datacenter Server SP1
• Microsoft Windows 2000 Datacenter Server SP2
• Microsoft Windows 2000 Datacenter Server SP3
• Microsoft Windows 2000 Datacenter Server SP4
• Microsoft Windows 2000 Professional
• Microsoft Windows 2000 Professional SP1
• Microsoft Windows 2000 Professional SP2
• Microsoft Windows 2000 Professional SP3
• Microsoft Windows 2000 Professional SP4
• Microsoft Windows 2000 Server
• Microsoft Windows 2000 Server SP1
• Microsoft Windows 2000 Server SP2
• Microsoft Windows 2000 Server SP3
• Microsoft Windows 2000 Server SP4
• Microsoft Windows Server 2003 Datacenter Edition
• Microsoft Windows Server 2003 Datacenter Edition Itanium
• Microsoft Windows Server 2003 Enterprise Edition
• Microsoft Windows Server 2003 Enterprise Edition Itanium
• Microsoft Windows Server 2003 Standard Edition
• Microsoft Windows Server 2003 Web Edition
• Microsoft Windows XP 64-bit Edition
• Microsoft Windows XP 64-bit Edition SP1
• Microsoft Windows XP 64-bit Edition Version 2003
• Microsoft Windows XP 64-bit Edition Version 2003 SP1
• Microsoft Windows XP Home
• Microsoft Windows XP Home SP1
• Microsoft Windows XP Professional
• Microsoft Windows XP Professional SP1

References:

• CORE Security: MSRPC LSASS Buffer Overflow exploit
• Metasploit: Metasploit Framework Exploits
• Microsoft: Microsoft Security Bulletin MS04-011
• CERT/CC: Vulnerability Note VU#753212 - Microsoft LSA Service contains buffer overflow in
• Symantec: W32.Janx
• eEye: Windows Local Security Authority Service Remote Buffer Overflow