COMMAND

    lsass.exe

SYSTEMS AFFECTED

    Win NT 4.0 (WKS, S, EE, TSE)

PROBLEM

    Mnemonix  found  following.   LSASS.EXE  demonstrates  a number of
    problems that can  be exploited through  a null session  causing a
    Denial of Service attack.  The LSA can only handle 2048 open  SAMR
    pipes.  What's more garbage can be written to the pipe that causes
    lsass.exe to begin eating all available memory.  An attacker could
    open 2048 SAMR  pipes and then  fill the last  with garbage.   The
    consequences of this means that no-one can log on and the  server,
    as memory  becomes scarce  begins to  droop and  slow with the LSA
    eventually not being able to keep track of open resources (see "In
    Use" from server  manager) and processor  usage raises c.65%  from
    base level.  This affects NT Server 4, NT Workstation 4 upto sp3.

    To demonstrate  this problem,  Mnemonix has  created an executable
    called ubend.exe (pun on pipes  and abend [cheers Sam Thornton  of
    Diligence]).  This is available for download from:

        http://www.globalnet.co.uk/~mnemonix/ubend.zip
        http://www.infowar.co.uk/mnemonix/utils.htm

    or

        mailto:mnemonix@globalnet.co.uk

    NOTE: It seems that there is a max 0f 2048 pipes - irrespective of
          what the pipes are -  you can open 1028 spoolss  1020 lsarpc
          and then any attempts to open any other kind of pipe fails.

SOLUTION

    Microsoft has  published Q195733  Knowledge Base  article. It  has
    also  posted  hot  fixes  to  address  this  problem.  Fix for X86
    version of Microsoft Windows NT Workstation 4.0, Microsoft Windows
    NT Server 4.0, Microsoft Windows NT Server 4.0, Enterprise Edition

        ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP4/nprpc-fix/nprpcfxi.exe

    Fix for Alpha version of Microsoft Windows NT Workstation 4.0,
    Microsoft Windows NT Server 4.0, Microsoft Windows NT Server 4.0,
    Enterprise Edition:

        ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP4/nprpc-fix/nprpcfxa.exe

    Fix for Microsoft Windows  NT Server 4.0, Terminal  Server Edition
    will be released shortly. When  it is available, MS will  carry an
    announcement that provides the location of the fix.