COMMAND

    LSA

SYSTEMS AFFECTED

    WinNT (all versions)

PROBLEM

    Following is based on NAI Labs Report.  An implementation flaw  in
    the Local  Security Authority  subsystem of  Windows NT,  known as
    the  LSA,  allows  both  local  or  remote  attackers  to halt the
    processing  of  security  information  requiring  the  host  to be
    restarted.   This  new  vulnerability  affects  all Windows NT 4.0
    hosts including those with Service packs up to and including SP6a.

    The  Local  Security  Authority  is  the  center of the Windows NT
    security subsystem.  The LSA  is a  user-mode process  (LSASS.EXE)
    used to  maintain security  information of  a system  known as the
    Local Security  Policy.   The Local  Security Policy  is stored in
    the registry and includes  such information as who  has permission
    to access the system, who is assigned privileges and what security
    auditing is  performed.   The majority  of the  security subsystem
    components run within the context of the LSASS process,  including
    the  Security  Accounts  Manager  (SAM)  that  is  responsible for
    maintaining the  SAM database  stored in  the registry.   Also the
    default  authentication  package   (MSV1_0.DLL)  that   determines
    whether username and password match information stored in the  SAM
    database.

    In addition  other user-mode  processes request  services from the
    LSA  such  as  the  login  process  (WINLOGON.EXE) to authenticate
    username and  passwords that  are entered  when interactive  users
    logon and logoff.  Also, the network logon service  (SERVICES.EXE)
    which responds to network logon requests also utilizes the LSA  to
    verify authentication.   Disrupting the  Local Security  Authority
    halts  almost  all  user-mode  security authentication requiring a
    Windows NT host to be restarted.

    Windows NT  provides the  ability to  open and  manipulate the LSA
    through an series  of APIs. To  programmatically manage the  Local
    Security  Policy  of  a  local  or  remote  system  a  session  is
    established  with  that  system's  Local  Security Authority. If a
    session is successfully established  an LSA Policy handle  will be
    returned for usage in all subsequent API calls.  One specific  API
    LsaLookupSids() utilizes the LSA to  map one or more SIDs  of user
    accounts,  group  accounts,  alias  accounts  or domains to names.
    Invalid  arguments  passed  to  this  API are incorrectly verified
    causing the LSA process  to reference invalid memory  resulting in
    an application error.

    Discovery and documentation of this vulnerability was conducted by
    Anthony Osborne of the Security Labs at Network Associates.

SOLUTION

    Microsoft has issued a patch for this vulnerability, which can  be
    obtained at the following address:

      x86:
        http://www.microsoft.com/downloads/release.asp?ReleaseID=16798
      Alpha:
        http://www.microsoft.com/downloads/release.asp?ReleaseID=16799

    Additional information  can be  found in  Microsoft Knowledge Base
    article Q248185, SID  Enumeration Function in  LSA May Not  Handle
    Argument Properly:

        http://support.microsoft.com/support/kb/articles/q248/1/85.asp