Topic: DoS Vulnerability in Microsoft Windows SPNEGO Protocol Decoding

Release Date: 2004-04-14

CVE CAN ID : CAN-2004-0119

Affected system:
==============
- Microsoft Windows XP
- Microsoft Windows 2000
- Microsoft Windows 2003

Unaffected system:
==============
- Microsoft Windows 9x
- Microsoft Windows NT

Impact:
======

NSFOCUS Security Team has found there is a remote DoS vulnerability in theSPNEGO protocol decoding function of Microsoft Windows system. Exploiting the vulnerability remote attackers could cause Windows system to crash or malfunction.

Description:
==========

Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) protocol is used to negotiate which security mechanism should be adopted. Windows system allows various authentication mechanisms, it also uses SPNEGO protocol to implement the authentication mechanism negotiation between the clients and servers.

There is a security vulnerability when Windows system handles SPNEGO protocol codes, which allows attackers to launch DoS attacks.

When a carefully crafted SPNEGO NegTokenInit request is sent, a null pointer reference error might occur in LSASRV.DLL, resulting in LSASS.EXE crash. This will make all the operations related to system authentication (such as remote access to SMB share, or interactive local login) unavailable. For Windows 2003, it will result in automatic shutting off or bluescreen.

Attackers can launch attacks through any service that uses SPNEGO, such as TCP port 139, 445. By default IIS also negotiates which authentication protocol (for example, NTLM, Kerberos, etc)should be adopted by SPNEGO, therefore，it's possible for attackers to launch attacks through IIS.

From vendor's response the same type of malformed request could still have triggered a buffer overflow issue in the subsequent code, if they were to have only fixed the DoS issue. Vendor's patch fixes both the DoS and buffer overflow issues.

Workaround:
===========
* Restrict access to the following ports from untrusted IPs at the firewall:

445/UDP
139/TCP
445/TCP

* For the system that is providing WEB service through IIS, either of the
following methods can be used to mitigate the threat:

1. Disable "Integrated windows authentication" in IIS service

2. Disable authentication negotiation. Only allow authentication
through NTLM by the following command:

cscript adsutil.vbs set w3svc/NTAuthenticationProviders "NTLM"

adsutil.vbs can be found in the adminscripts directory of IIS.
More detail is available at:
http://support.microsoft.com/?id=215383

Vendor Status:
============

2004.02.19 Informed the vendor
2004.02.19 Vendor confirmed the vulnerability
2004.04.13 Microsoft released a security bulletin (MS04-011) and relative
patches for the vulnerability.

Detailed information for the Microsoft security bulletin is available at:
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

Additional Information:
==================

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2004-0119 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Candidates may change significantly before they become official CVE entries.

Credit:
=====

The vulnerability was found by Chen Qing of NSFOCUS Security Team.