COMMAND

    lsass.exe

SYSTEMS AFFECTED

    WinNT

PROBLEM

    Karl Bolingbroke found  following.  There  is a bug  in SP5 of  NT
    4.0 that allows you to crash LSASS (the security subsystem) of any
    SP4 or SP5 machine  that has not been  logged into since the  last
    reboot.  This affects both NT Workstation and Server.  Once  LSASS
    has crashed, you  cannot log into  the computer either  locally or
    over the network.  This will  also prevent a clean shutdown of  an
    NT Server, since there is no way to shut down NT Server without  a
    logon (either local or over the network).

    The steps to reproduce the problem are as follows:

        1- Prepare machine #1 with NT 4.0, SP5.
        2- Add the following registry  setting to force machine #1  to
           use NTLMv2:
             HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\LMCompatibilityLevel=3
        3- Prepare machine #2 with NT 4.0, SP4 or SP5.
        4- Reboot machine #2, and don't login to it, either locally or
           over the network.
        5- From machine #1, attempt to map a drive to machine #2.
        6- On machine #2, LSASS has now crashed.  If the machine was
           running SP5, you will immediately see an error message
           saying that LSASS crashed and giving you some details on
           the memory location, etc.

    If  the  machine  was  running  SP4,  you won't immediately see an
    error message.  If  you try to login,  it will give an  error.  If
    you shut down  the computer from  the login screen,  you will then
    see the LSASS error message.

SOLUTION

    Microsoft confirmed the problem and built  a fix for it.  The  fix
    is to be included in SP6.  Fix is not being released on ftp  site,
    but you can  obtain by calling  Product Support at  1-800-936-3500
    and requesting the patch for WinSE  bug 1449.  The KB article  can
    be found at:

        http://support.microsoft.com/support/kb/articles/q236/4/14.ASP

    The "workaround" solution to this problem is hinted at in step  4.
    Namely, that in order to  ensure that machines are not  vulnerable
    you must either:

        - log in locally at the console
        - have a connection made to an SMB share (IPC$ is  sufficient)
          that  does  _not_   come  from  a   machine  that  has   had
          LMcompatibilityLevel set to 0x3 (or equivalent parameter  if
          you are using non-microsoft SMB clients).