COMMAND

    LSA

SYSTEMS AFFECTED

    WinNT 4.0 + SP1 + SP5 Only NO SP3 installed.

PROBLEM

    NtWaK0 found following.  After running some scanners on an (NT 4.0
    SP1 + SP5 no hot fixes  Workstation and Server) he found out  that
    LSA is vulnerable.  NtWaK0  installed the LSA3 Hotfix since  it is
    the latest fix for LSA and got The Error Msg Is

        "CAPI: The install program could not open signature file"

    After the system rebooted NtWaK0  run the scanners again to  check
    for the  vulnerability, hmmm  it is  the Same  the OLD  Dr. Watson
    coming up...

    This is the  date and size  of the files  inside the "lsareqi.exe"
    from the MS site

        ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/Hotfixes-PostSP5/LSA3-fix/

        05/13/99  05:32p               155,408 lsasrv.dll
        05/04/99  05:56p                10,000 lsass.exe

    Now the funny part  here is the suggested  size and date based  on
    DOCUMENT:Q231457 see document below...  This is the size and  date
    after NtWaK0 installed LSA3 "lsareqi.exe" and got the error "CAPI:
    The install program could not open signature file"

            Directory of C:\WINNT\system32

        05/13/99  05:32p               155,408 LSASRV.DLL
        05/04/99  05:56p                10,000 LSASS.EXE

SOLUTION

    Here it is:

        1- Lot of coffee
        2- Ask  yourself  and  MS,  how  come  the  files insides  the
           "lsareqi.exe" file does not match the "DOCUMENT:Q231457"?
        3- Try the same  file on another NT  4.0 Box with SP1  + SP3 +
           SP5 installed and you will  not have the same Error  So the
           link here is SP3 ... If  you Jump from SP1 directly to  SP5
           you will see  some fuckup...when you  install LSA3 and  you
           will be vulnerable to LSA attack.
        4- After you try to re-install  all the HOT fixes for SP5  you
           still cannot  receive the  same error  and still vulnerable
           and still see the OLD Dr. Watson ...
        5- Well  you cannot  install SP3  now on  a box  with SP5  and
           you are not going to re-install NT again.
        6- Delete all the entry under

        "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix"

        7- Delete all the directory that ref. to the HOT-fixes

        "C:\WINNT\$NtUninstallQ230677$" etc...

        8- Install the SP5 128 Bits version "05/19/99  02:21p

        34,557,432 MSNT128.EXE"

        9- Install all the other SP5 hotfixes including

        "08/10/99  01:41p 231,264 lsareqi.exe"

       10- Reboot  for  the  last  time  and  checked  again  for  LSA
           vulnerability - well it is gone...

    So to resume if  you have the SP1  and you jumped directly  to SP5
    check your LSA  and if you  get the same  error do the  same steps
    and you will eliminate it...