未加星标

Second Try at Windows LSASS Patch Addresses Vulnerability

字体大小 | |
[系统(windows) 所属分类 系统(windows) | 发布者 店小二03 | 时间 2017 | 作者 红领巾 ] 0人收藏点击收藏

Second Try at Windows LSASS Patch Addresses Vulnerability

Microsoft’s second try at patching a vulnerability in a critical windows processapparently is more successful than its first attempt.

Yesterday, as part of its monthly Patch Tuesday release of security bulletins , Microsoft sent out an update that fixed a denial-of-service vulnerability in the Windows Local Security Authority Subsystem Service (LSASS). The update was in response to a private disclosure from researcher Nicolas Economou of Core Security, who reported that a patch released in November for the same bug was incomplete.

Core Security confirmed to Threatpost this morning that it had tested the patch and that the issue was resolved.

LSASS enforces Windows security policies around authentication and login verification. It’s a critical process that cannot be terminated without consequences.

Yesterday’s bulletin, MS17-004 , was rated important by Microsoft for Vista, Windows Server 2008 (and R2), and Windows 7. An attacker using a specially crafted authentication request could remotely cause an automatic system reboot. Microsoft said it changed the way LSASS handles such requests.

The original patch, released Nov. 8 in MS16-137 , was privately disclosed by researcher Laurent Gaffie , who said the bug affects all versions of Windows, from XP to Windows 10. Gaffie describe the bug in his original report:

“This vulnerability affects both LSASS client and server and can be triggered remotely via SMBv1 and SMBv2, during the NTLM message 3 (Authenticate) message. Incoming NTLM messages via SMB are using ASN1 and DER encoding, the first ASN length field can be set to unsigned int by using 0x84.

“This allows an attacker to remotely allocate a huge chunk of memory, for a message never larger than 20000 chars. The secondary trigger is to set any string fields (User, Domain, session Key, MIC, etc) with a long string (80-140 chars), leading LSASS.exe to crash.”

Gaffie said it was also possible that an attacker could leverage the crash for local privilege escalation; he published a proof-of-concept exploit once the first patch was distributed.

Core Security’s Economou, however, said he discovered that once he analyzed Gaffie’s PoC that the vulnerability was misunderstood. In a technical description published today, Economou said the fix was improperly applied.

Economou said as well that the vulnerability can also be triggered in Windows 8 and 10. To do so, he said, an attacker would have try to exhaust memory in the LSASS service rather than use a “giant” memory allocation that would fail in older versions of Windows.

“I had been able to confirm that this vulnerability can be triggered in Windows 7 and 2008 R2 by establishing several SMB connections and sending evil sizes with values like 0x1000000 (16 MB). The problem is that in the case of the latest Windows versions, it’s not possible to use this kind of sizes, because as I said before, the limit is 64KB,” Economou said. “So, the only way to trigger this vulnerability should be by producing a memory exhaustion in the LSASS service. It may be possible to do so by finding a controllable malloc in the LSASS authentication process, creating multiple connections and producing a memory exhaustion until the “LsapAllocateLsaHeap” function fails. Maybe, this memory exhaustion condition could be easily reached in local scenarios.”

This incomplete patch left users exposed for two months. During that time, Microsoftsaid it was not aware of any public exploits targeting this flaw. The new patch has resolved the vulnerability, he said.

“If we diff against the latest “lsasrv.dll” version (v6.1.7601.23642), we can see that the vulnerability was fixed by changing the“NegGetExpectedBufferLength” function,” Economou said. “Basically, the same 64KB packet size check used by Windows 8.1 and Windows 10 was now added to the rest of the Windows versions.”

本文系统(windows)相关术语:三级网络技术 计算机三级网络技术 网络技术基础 计算机网络技术

分页:12
转载请注明
本文标题:Second Try at Windows LSASS Patch Addresses Vulnerability
本站链接:http://www.codesec.net/view/523208.html
分享请点击:


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 系统(windows) | 评论(0) | 阅读(45)