======================================================================
Defcom Labs Advisory def-2001-24

               Windows 2000 Kerberos DoS

Author: Peter Grьndl <[email protected]>
Release Date: 2001-05-09

------------------------=[Brief
Description]=-------------------------
The Kerberos service and kerberos password service contain a flaw
that
could allow a malicious attacker to cause a Denial of Service on
the
Kerberos service and thus making all domain authentication
impossible.

------------------------=[Affected
Systems]=--------------------------

• Windows 2000 Server
• Windows 2000 Advanced Server
• Windows 2000 Datacenter Server

----------------------=[Detailed
Description]=------------------------
By creating a connection to the kerberos service and the
disconnecting
again, without reading from the socket, the LSA subsystem will
leak
memory. After about 4000 connections the kerberos service will
stop
accepting connections to tcp ports 88 (kerberos) and 464
(kpasswd) and
all domain authentication will effectively have died (if the
target
was a domain controller).

It requires a reboot to recover from the attack.

---------------------------=[Workaround]=-----------------------------
Disallow access to TCP ports 88 and 464 from untrusted networks
or/and
apply the patch located at the following URL:

http://www.microsoft.com/technet/security/bulletin/MS01-024.asp

-------------------------=[Vendor
Response]=--------------------------
This issue was brought to the vendor's attention on the 26th of
January, 2001, and the vendor released a patch on the 8th of May.

======================================================================
This release was brought to you by Defcom Labs

          [email protected]             www.defcom.com         

======================================================================