<<< Date Index >>>     <<< Thread Index >>>

Securify bulletin: Microsoft Active Directory Denial-of-service



SECURIFY Bulletin: Active Directory Denial-of-service
=====================================================

I. SUMMARY:

  SECURIFY has discovered a denial-of-service vulnerability in Microsoft
Active Directory (AD) in which a domain user sending a specially-crafted
LDAP request causes the Active Directory server to initiate a controlled
restart.  Specific products and versions affected and the hotfixes for
them are detailed in Microsoft Security Bulletin MS08-035 (953235).
This vulnerability has been assigned CVE-2008-1445.

II. SYMPTOMS:

  After receiving the LDAP request, the AD server returns a partial list
of the requested data to the  client.  After an additional minute or so,
the Windows initiates a controlled restart with a 60-second countdown
timer.  The shutdown dialog box displays status code -1073741819.

  After restarting, errors similar to the following are found in the
application event log:
  
    Type: Error
    Source: Application Error
    Category: (100)
    Event ID: 1000
    Description: Faulting application lsass.exe, version <version>, 
      faulting module authz.dll, version <version>, fault address
0x00001d8f

    Type: Error
    Source: Winlogon
    Category: None
    Event ID: 1015
    Description: A critical system process,
C:\Windows\system32\lsass.exe,
      failed with status code c0000005.  The machine must now be
restarted.

    Type: Information
    Source: Application Error
    Category: (100)
    Event ID: 1004
    Description: Reporting queued error: 
      Faulting application lsass.exe, version <version>, 
      faulting module authz.dll, version <version>, fault address
0x00001d8f

  Errors similar to the following are recorded in the Directory Service
event log:

    Type: Error
    Source: NTDS General
    Category: Internal Processing
    Event ID: 1168
    Description: Internal error: An Active Directory error has occurred.
    Additional Data:
      Error value (decimal): 8411
      Error value (hex): 20db
      Internal ID: 3151e4a

    Type: Warning
    Source: NTDS General
    Category: Internal Processing
    Event ID: 1173
    Description: Internal event: Active Directory has encountered the
following
      exception and associated parameters:
      Exception: c0000005
      Parameter: 0
      Additional Data:
      Error value: 76c41d8f
      Internal ID: 0


III. SOLUTION:

  Apply the hotfix referenced in the Microsoft bulletin.


IV. WORKAROUNDS:

  Block TCP ports 389 and 3268 to your Active Directory server from
untrusted sources.


V. ADDITIONAL DETAILS:

  The special LDAP request that triggered the restart was a byproduct of
internal development work and was provided to Microsoft immediately upon
discovery.  No further research into this vulnerability has been
conducted by SECURIFY.


VI. TIMELINE:

  2007-12-08  Initial contact and response from Microsoft PSS
  2007-12-27  Initial contact attempt to Microsoft Security Response
Center
  2008-01-08  Second contact attempt to Microsoft Security Response
Center
  2008-02-11  Initial response from Microsoft Security Response Center
  2008-06-10  Hotfix made publicly available by Microsoft


VII. REFERENCES:

  Microsoft Security Bulletin MS08-035 (953235)
(http://www.microsoft.com)

  CVE-2008-1445 (http://cve.mitre.org/)

VIII. CREDIT:

  John Guzik, SECURIFY, INC
  Alex Matthews, SECURIFY, INC

IX. About SECURIFY:

  http://www.securify.com/

Securify's identity-driven, network-based approach leverages existing
infrastructures to deliver a cost-effective way to discover and control
access and behavior broadly across networks as well as systems.