From peter.grundl@DEFCOM.COM Wed May 9 12:48:44 2001 From: "[iso-8859-1] Peter Gründl" To: BUGTRAQ@SECURITYFOCUS.COM Date: Wed, 9 May 2001 10:41:37 +0200 Subject: [BUGTRAQ] def-2001-24: Windows 2000 Kerberos DoS [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] ====================================================================== Defcom Labs Advisory def-2001-24 Windows 2000 Kerberos DoS Author: Peter Gründl Release Date: 2001-05-09 ====================================================================== ------------------------=[Brief Description]=------------------------- The Kerberos service and kerberos password service contain a flaw that could allow a malicious attacker to cause a Denial of Service on the Kerberos service and thus making all domain authentication impossible. ------------------------=[Affected Systems]=-------------------------- - Windows 2000 Server - Windows 2000 Advanced Server - Windows 2000 Datacenter Server ----------------------=[Detailed Description]=------------------------ By creating a connection to the kerberos service and the disconnecting again, without reading from the socket, the LSA subsystem will leak memory. After about 4000 connections the kerberos service will stop accepting connections to tcp ports 88 (kerberos) and 464 (kpasswd) and all domain authentication will effectively have died (if the target was a domain controller). It requires a reboot to recover from the attack. ---------------------------=[Workaround]=----------------------------- Disallow access to TCP ports 88 and 464 from untrusted networks or/and apply the patch located at the following URL: http://www.microsoft.com/technet/security/bulletin/MS01-024.asp -------------------------=[Vendor Response]=-------------------------- This issue was brought to the vendor's attention on the 26th of January, 2001, and the vendor released a patch on the 8th of May. ====================================================================== This release was brought to you by Defcom Labs labs@defcom.com www.defcom.com ====================================================================== [Part 2, Text/HTML (charset: ISO-8859-1 "Latin 1") 99 lines] [Unable to print this part]