From: Karl Bolingbroke [karl.bolingbroke@FLYINGJ.COM]
Sent: Tuesday, October 26, 1999 6:11 PM
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: LSASS bug

Hi all,
I submitted the following to Microsoft in early June:

--------------------------------------------------------
There is a bug in SP5 of NT 4.0 that allows you to crash
LSASS (the security subsystem) of any SP4 or SP5 machine
that has not been logged into since the last reboot.  This
affects both NT Workstation and Server.  Once LSASS has
crashed, you cannot log into the computer either locally or
over the network.  This will also prevent a clean shutdown
of an NT Server, since there is no way to shut down NT
Server without a logon (either local or over the network).

The steps to reproduce the problem are as follows:
1- Prepare machine #1 with NT 4.0, SP5.
2- Add the following registry setting to force machine #1 to
   use NTLMv2:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\LMCo
mpatibilityLevel=3
3- Prepare machine #2 with NT 4.0, SP4 or SP5.
4- Reboot machine #2, and don't login to it, either locally
or over the network.
5- From machine #1, attempt to map a drive to machine #2.
6- On machine #2, LSASS has now crashed.  If the machine was
running
   SP5, you will immediately see an error message saying
that LSASS
   crashed and giving you some details on the memory
location, etc.
   If the machine was running SP4, you won't immediately see
an
   error message.  If you try to login, it will give an
error.  If
   you shut down the computer from the login screen, you
will then
   see the LSASS error message.
--------------------------------------------------------

The Microsoft Product Security Response Team never did
respond to me about the problem.  Eventually, with Russ'
help, I got a response from Scott Culp at Microsoft saying
that they had confirmed the problem and built a fix for it.
The fix was to be included in SP6, which Scott said was due
out at the end of September.  He said that the fix would not
be released on their ftp site, but could be obtained by
calling Product Support at 1-800-936-3500 and requesting the
patch for WinSE bug 1449.  The KB article can be found at:
http://support.microsoft.com/support/kb/articles/q236/4/14.A
SP.

And how did Microsoft handle this?  They never did generate
a security alert about the problem.  They just quietly
posted a KnowledgeBase article and built a fix that they
didn't release to the general public.  I tried calling the
PSS number but got stuck in voicemail hell and was never
able to reach a live person.  So I decided to wait for SP6,
and here I am still waiting with a bunch of unpatched
systems.

<Several stronger editorials created, then deleted.>

Karl

---------------------------------
Karl Bolingbroke
Flying J Inc.
435-695-1233
---------------------------------
