PoC Exploit Leads to Discovery of Two Windows Flaws

Proof-of-concept (PoC) code released by a researcher for a denial-of-service (DoS) vulnerability affecting the Local Security Authority Subsystem Service (LSASS) in Windows has led to the discovery of a different, but similar, flaw.

In September, researcher Laurent Gaffié identified a DoS vulnerability in LSASS, a Windows process responsible for enforcing the security policy on a system. The expert said the weakness can be exploited remotely to cause a crash of the LSASS process without user interaction, but also warned about the possibility of local privilege escalation.

The flaw, tracked as CVE-2016-7237, was believed to have been patched by Microsoft in November with the MS16-137 bulletin. The company described the security hole as a DoS issue that can be exploited to cause the system to become non-responsive by sending specially crafted requests.

Gaffié, who said the flaw affected Windows versions from XP through 10, disclosed the details of the vulnerability and published a proof-of-concept (PoC) exploit the same day Microsoft released its security bulletin.

“This vulnerability affects both LSASS client and server and can be triggered remotely via SMBv1 and SMBv2, during the NTLM message 3 (Authenticate) message. Incoming NTLM messages via SMB are using ASN1 and DER encoding, the first ASN length field can be set to unsigned int by using 0x84,” Gaffié said in his advisory. “This allows an attacker to remotely allocate a huge chunk of memory, for a message never larger than 20000 chars. The secondary trigger is to set any string fields (User, Domain, session Key, MIC, etc) with a long string (80-140 chars), leading LSASS.exe to crash.”

An analysis of Gaffie’s PoC by Nicolas Economou, an exploit writer specialist at Core Security, has helped Microsoft determine that the PoC actually triggered a different, but similar, vulnerability than the one patched in November. The MS17-004 bulletin released by Microsoft on Tuesday addresses the second flaw, which is tracked as CVE-2017-0004.

“There was a misunderstanding here about the vulnerability,” Economou explained in a blog post published late on Tuesday. “Because according to the PoC released by Laurent Gaffié, the problem wasn’t in the structure pointer, but rather in one field of the CRITICAL_SECTION object pointed by this structure, which is NULL when the huge allocation fails.”

The expert pointed out that the system automatically restarts after 60 seconds if the LSASS service crashes, which can be problematic for production servers.

Economou realized something was amiss when he could not get Gaffié’s PoC to work on Windows 10. The cause turned out to be that the PoC triggered a different vulnerability, CVE-2017-0004, which only affects Windows Vista, 7, and Server 2008.

“It’s surprising to see that nobody else noticed [the fix was not working] – that we know of –, and that a considerable amount of Windows users have been unprotected for more than 2 months since the public exploit was released,” Economou said.

Related Reading: Microsoft Reissues Security Update Due to Outlook Crash

Related Reading: Microsoft Patches Several Publicly Disclosed Flaws

Related Reading: Oracle Reissues Patch for Two-Year-Old Java Flaw