From: Karl Bolingbroke [karl.bolingbroke@FLYINGJ.COM] Sent: Tuesday, October 26, 1999 6:11 PM To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: LSASS bug Hi all, I submitted the following to Microsoft in early June: -------------------------------------------------------- There is a bug in SP5 of NT 4.0 that allows you to crash LSASS (the security subsystem) of any SP4 or SP5 machine that has not been logged into since the last reboot. This affects both NT Workstation and Server. Once LSASS has crashed, you cannot log into the computer either locally or over the network. This will also prevent a clean shutdown of an NT Server, since there is no way to shut down NT Server without a logon (either local or over the network). The steps to reproduce the problem are as follows: 1- Prepare machine #1 with NT 4.0, SP5. 2- Add the following registry setting to force machine #1 to use NTLMv2: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\LMCo mpatibilityLevel=3 3- Prepare machine #2 with NT 4.0, SP4 or SP5. 4- Reboot machine #2, and don't login to it, either locally or over the network. 5- From machine #1, attempt to map a drive to machine #2. 6- On machine #2, LSASS has now crashed. If the machine was running SP5, you will immediately see an error message saying that LSASS crashed and giving you some details on the memory location, etc. If the machine was running SP4, you won't immediately see an error message. If you try to login, it will give an error. If you shut down the computer from the login screen, you will then see the LSASS error message. -------------------------------------------------------- The Microsoft Product Security Response Team never did respond to me about the problem. Eventually, with Russ' help, I got a response from Scott Culp at Microsoft saying that they had confirmed the problem and built a fix for it. The fix was to be included in SP6, which Scott said was due out at the end of September. He said that the fix would not be released on their ftp site, but could be obtained by calling Product Support at 1-800-936-3500 and requesting the patch for WinSE bug 1449. The KB article can be found at: http://support.microsoft.com/support/kb/articles/q236/4/14.A SP. And how did Microsoft handle this? They never did generate a security alert about the problem. They just quietly posted a KnowledgeBase article and built a fix that they didn't release to the general public. I tried calling the PSS number but got stuck in voicemail hell and was never able to reach a live person. So I decided to wait for SP6, and here I am still waiting with a bunch of unpatched systems. Karl --------------------------------- Karl Bolingbroke Flying J Inc. 435-695-1233 ---------------------------------