SECURIFY Bulletin: Active Directory Denial-of-service ===================================================== I. SUMMARY: SECURIFY has discovered a denial-of-service vulnerability in Microsoft Active Directory (AD) in which a domain user sending a specially-crafted LDAP request causes the Active Directory server to initiate a controlled restart. Specific products and versions affected and the hotfixes for them are detailed in Microsoft Security Bulletin MS08-035 (953235). This vulnerability has been assigned CVE-2008-1445. II. SYMPTOMS: After receiving the LDAP request, the AD server returns a partial list of the requested data to the client. After an additional minute or so, the Windows initiates a controlled restart with a 60-second countdown timer. The shutdown dialog box displays status code -1073741819. After restarting, errors similar to the following are found in the application event log: Type: Error Source: Application Error Category: (100) Event ID: 1000 Description: Faulting application lsass.exe, version <version>, faulting module authz.dll, version <version>, fault address 0x00001d8f Type: Error Source: Winlogon Category: None Event ID: 1015 Description: A critical system process, C:\Windows\system32\lsass.exe, failed with status code c0000005. The machine must now be restarted. Type: Information Source: Application Error Category: (100) Event ID: 1004 Description: Reporting queued error: Faulting application lsass.exe, version <version>, faulting module authz.dll, version <version>, fault address 0x00001d8f Errors similar to the following are recorded in the Directory Service event log: Type: Error Source: NTDS General Category: Internal Processing Event ID: 1168 Description: Internal error: An Active Directory error has occurred. Additional Data: Error value (decimal): 8411 Error value (hex): 20db Internal ID: 3151e4a Type: Warning Source: NTDS General Category: Internal Processing Event ID: 1173 Description: Internal event: Active Directory has encountered the following exception and associated parameters: Exception: c0000005 Parameter: 0 Additional Data: Error value: 76c41d8f Internal ID: 0 III. SOLUTION: Apply the hotfix referenced in the Microsoft bulletin. IV. WORKAROUNDS: Block TCP ports 389 and 3268 to your Active Directory server from untrusted sources. V. ADDITIONAL DETAILS: The special LDAP request that triggered the restart was a byproduct of internal development work and was provided to Microsoft immediately upon discovery. No further research into this vulnerability has been conducted by SECURIFY. VI. TIMELINE: 2007-12-08 Initial contact and response from Microsoft PSS 2007-12-27 Initial contact attempt to Microsoft Security Response Center 2008-01-08 Second contact attempt to Microsoft Security Response Center 2008-02-11 Initial response from Microsoft Security Response Center 2008-06-10 Hotfix made publicly available by Microsoft VII. REFERENCES: Microsoft Security Bulletin MS08-035 (953235) (http://www.microsoft.com) CVE-2008-1445 (http://cve.mitre.org/) VIII. CREDIT: John Guzik, SECURIFY, INC Alex Matthews, SECURIFY, INC IX. About SECURIFY: http://www.securify.com/ Securify's identity-driven, network-based approach leverages existing infrastructures to deliver a cost-effective way to discover and control access and behavior broadly across networks as well as systems.