RE: Help! LsaSrv dies w/Event ID: 5000

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

New information...

I've contact Microsoft's security via email yesterday ~9 PM EDT and this
morning via the web form, but as yet haven't heard back.

Someone is testing a new exploit. I don't know if it is for a new security
hole or if it is for one that has already been plugged.

What I know at this time:

Windows Server 2000 / SP4 / not fully security patched is affected.
Windows Server 2000 / SP4 / fully security patched - not yet known (waiting
for the nasty expoit to again be tested on the server)
Windows Server 2003 / IIS 6.0 is not affected.

The attack vector is via an IIS packet which calls for authentication, hands
it a whole lot of data, and crashes LsaSrv that instant. Requires a server
reboot to bring the 2K Server back online.

I've correlated 4 occurrences of LsaSrv crashing with 4 incomming IIS
requests, all the same size, all at the exact same timestamp, all giving the
same error code out of IIS. The incomming request to IIS is 5699 bytes long,
and I see an error code in the IIS logfile of 2148074244, both of which are
highly suspicious.

Windows Server 2003 shows an error code of 404.

Based on the very low frequency of occurrence, I believe the exploit is
being tested and is not yet widely used. Prior to this discovery, I thought
this was a normal LsaSrv crash (thus the "Has anyone seen this?" original
post).

If someone with a fully security patched server can report in a "I've seen a
packet this size and my server didn't crash" or "My server crashed too and it
was fully patched" statement, that could tell us (and Microsoft) if this is a
new exploit for an old hole that is fixed or a new exploit for a new hole
that isn't yet fixed.

The input vector is via a public facing IIS port 80. The packet gets IIS to
try and do an SNMPv2-SMI::security.5.2 authentication (AKA: "SPNEGO - Simple
Protected Negotiation") When the oversized packet (it is filled with
"AAAAAAA...AAAA" to pad the buffer out) is handed around to various windows
processes, apparently that overflows a buffer and does some other damage. I'm
not sure what that other damage is yet.

More will be posted here as I learn it, though I was looking forward to not
working this weekend!

.

Relevant Pages

  • RE: NT/IIS decoy
    ... Does anyone know how to hide or mask the identity of a IIS 4.0 or 5.0 server ... Principal Security Consultant ... Best Individual Income Protection Provider 2001 - Health Insurance Magazine ...
    (Pen-Test)
  • Re: IIS6 on W2k3 DCs
    ... How many times in big server land do I see folks that don't have backups ... >But Small Business Server 2003 runs with IIS on our domain controller. ... >Where's MY security risks these days? ... >>By referring to numerous security guides written specifically for NT4 ...
    (Focus-Microsoft)
  • Re: SBS 2003 After Service Pack 1 for SBS
    ... Controllers" groups have been added to the new CERTSVC_DCOM_ACCESS security ... we can have Certificate Services update the DCOM security settings ... down time for the server - probably over a weekend. ... Then please run command "iisreset" to refresh IIS ...
    (microsoft.public.windows.server.sbs)
  • [NT] Cumulative Patch for Internet Information Services
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... security patches released for IIS 4.0 since Windows NT 4.0 Service Pack ... encoding transfer mechanism via Active Server Pages in IIS 4.0 and 5.0. ... attacker who exploited this vulnerability could overrun heap memory on the ...
    (Securiteam)
  • Re: REPOST: IIS4 Security Advice
    ... Well, I assume you know you need more than the latest IIS security patch, ... win 2000, one for IIS, one for Index Server, etc.] ... After installing iislockdown ...
    (microsoft.public.inetserver.iis.security)