Vigil@nce: Windows 2003, denial of service via AD SPN
February 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker, who is administrator on a domain computer, can send a
SPN register query, in order to create a denial of service.
– Severity: 2/4
– Creation date: 09/02/2011
IMPACTED PRODUCTS
– Microsoft Windows 2003
DESCRIPTION OF THE VULNERABILITY
A domain computer can register a service on the Active Directory,
so other computers can use this service. In order to do so, the
computer defines an unique name for the service (SPN, Service
Principal Name), and sends it to the AD (this operation requires
to be administrator on the computer).
When the AD receives two queries with the same SPN name, a
collision occurs, and the AD replaces the Kerberos authentication
by NTLM. However, services which are not conceived to use NTLM
become unreachable.
An attacker, who is administrator on a domain computer, can
therefore send a SPN register query, in order to create a denial
of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Windows-2003-denial-of-service-via-AD-SPN-10344