Vigil@nce: Windows, denial of service of LSASS via NTLM
October 2009 by Vigil@nce
When authenticating to a server, a network attacker can send a
malformed NTLM packet, in order to reboot it.
Severity: 2/4
Consequences: denial of service of computer
Provenance: intranet client
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 14/10/2009
IMPACTED PRODUCTS
– Microsoft Windows 2003
– Microsoft Windows 2008
– Microsoft Windows 7
– Microsoft Windows Vista
– Microsoft Windows XP
DESCRIPTION OF THE VULNERABILITY
The LSASS (Local Security Authority Subsystem) service manages
access to the system.
When a user connects to a shared resource, he can use NTLM as the
authentication protocol. However, if an attacker sends a malicious
NTLM packet, an error occurs in LSASS, and reboots the system.
When authenticating to a server, a network attacker can therefore
send a malformed NTLM packet, in order to reboot it.
CHARACTERISTICS
Identifiers: 975467, BID-36593, CVE-2009-2524, MS09-059,
VIGILANCE-VUL-9091
http://vigilance.fr/vulnerability/Windows-denial-of-service-of-LSASS-via-NTLM-9091