Microsoft Windows LSASS buffer overflow

win-lsass-bo (15699) The risk level is classified as HighHigh Risk

Description:

Microsoft Windows 2000, XP, Windows Server 2003 and Windows XP are vulnerable to a buffer overflow, caused by improper bounds checking in the Local Security Authority Subsystem Service (LSASS). By sending a specially-crafted message to the affected system, a remote attacker could overflow a buffer and execute arbitrary code on the system.

The Sasser worm exploits this security issue. Sasser propagates by scanning randomly selected IP addresses for vulnerable systems.

Note: Only a local administrator could exploit this vulnerability on Microsoft Windows Server 2003 and Windows XP 64-Bit Edition 2003.

Platforms Affected:

  • Microsoft, NetMeeting
  • Microsoft, Windows 2000 SP2
  • Microsoft, Windows 2000 SP3
  • Microsoft, Windows 2000 SP4
  • Microsoft, Windows 2003 Server x64
  • Microsoft, Windows 2003 Server
  • Microsoft, Windows NT 4.0 SP6a Server
  • Microsoft, Windows NT 4.0 SP6 Terminal Server
  • Microsoft, Windows NT 4.0 SP6a Workstation
  • Microsoft, Windows XP 2003 64-bit
  • Microsoft, Windows XP SP1 64-bit
  • Microsoft, Windows XP SP1

Remedy:

For vulnerability detection:

Enable the following checks in the ISS Protection Platform:
WinMs04011Patch

For Virtual Patch:

Enable the following checks in the ISS Protection Platform:
MSRPC_LSASS_Bo
MSRPC_LSASS_Request_Detected
Sasser_Propagation

For Manual Protection:

Apply the appropriate patch for your system, as listed in the Microsoft Security Bulletin MS04-011. See References.

Consequences:

Gain Access

References:

  • CIAC Information Bulletin O-114, Microsoft Security Update for Microsoft Windows at http://www.ciac.org/ciac/bulletins/o-114.shtml.
  • CIAC Information Bulletin O-114, Microsoft Security Update for Microsoft Windows [REVISED 25 Jun 2004] at http://www.ciac.org/ciac/bulletins/o-114.shtml.
  • Internet Security Systems Security Alert, April 13, 2004, Multiple Vulnerabilities in Microsoft Products at http://xforce.iss.net/xforce/alerts/id/169.
  • Microsoft Security Bulletin MS04-011, Security Update for Microsoft Windows (835732) at http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx.
  • BID-10108: Microsoft Windows LSASS Buffer Overrun Vulnerability
  • CVE-2003-0533: Stack-based buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via a packet that causes the DsRolerUpgradeDownlevelServer function to create long debug entries for the DCPROMO.LOG log file, as exploited by the Sasser worm.
  • US-CERT VU#753212: Microsoft LSA Service contains buffer overflow in DsRolepInitializeLog() function

Reported:

Apr 13, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page