Connect with us

Hi, what are you looking for?


Endpoint Security

PoC Exploit Leads to Discovery of Two Windows Flaws

Proof-of-concept (PoC) code released by a researcher for a denial-of-service (DoS) vulnerability affecting the Local Security Authority Subsystem Service (LSASS) in Windows has led to the discovery of a different, but similar, flaw.

Proof-of-concept (PoC) code released by a researcher for a denial-of-service (DoS) vulnerability affecting the Local Security Authority Subsystem Service (LSASS) in Windows has led to the discovery of a different, but similar, flaw.

In September, researcher Laurent Gaffié identified a DoS vulnerability in LSASS, a Windows process responsible for enforcing the security policy on a system. The expert said the weakness can be exploited remotely to cause a crash of the LSASS process without user interaction, but also warned about the possibility of local privilege escalation.

The flaw, tracked as CVE-2016-7237, was believed to have been patched by Microsoft in November with the MS16-137 bulletin. The company described the security hole as a DoS issue that can be exploited to cause the system to become non-responsive by sending specially crafted requests.

Gaffié, who said the flaw affected Windows versions from XP through 10, disclosed the details of the vulnerability and published a proof-of-concept (PoC) exploit the same day Microsoft released its security bulletin.

“This vulnerability affects both LSASS client and server and can be triggered remotely via SMBv1 and SMBv2, during the NTLM message 3 (Authenticate) message. Incoming NTLM messages via SMB are using ASN1 and DER encoding, the first ASN length field can be set to unsigned int by using 0x84,” Gaffié said in his advisory. “This allows an attacker to remotely allocate a huge chunk of memory, for a message never larger than 20000 chars. The secondary trigger is to set any string fields (User, Domain, session Key, MIC, etc) with a long string (80-140 chars), leading LSASS.exe to crash.”

An analysis of Gaffie’s PoC by Nicolas Economou, an exploit writer specialist at Core Security, has helped Microsoft determine that the PoC actually triggered a different, but similar, vulnerability than the one patched in November. The MS17-004 bulletin released by Microsoft on Tuesday addresses the second flaw, which is tracked as CVE-2017-0004.

“There was a misunderstanding here about the vulnerability,” Economou explained in a blog post published late on Tuesday. “Because according to the PoC released by Laurent Gaffié, the problem wasn’t in the structure pointer, but rather in one field of the CRITICAL_SECTION object pointed by this structure, which is NULL when the huge allocation fails.”

Advertisement. Scroll to continue reading.

The expert pointed out that the system automatically restarts after 60 seconds if the LSASS service crashes, which can be problematic for production servers.

Economou realized something was amiss when he could not get Gaffié’s PoC to work on Windows 10. The cause turned out to be that the PoC triggered a different vulnerability, CVE-2017-0004, which only affects Windows Vista, 7, and Server 2008.

“It’s surprising to see that nobody else noticed [the fix was not working] – that we know of –, and that a considerable amount of Windows users have been unprotected for more than 2 months since the public exploit was released,” Economou said.

Related Reading: Microsoft Reissues Security Update Due to Outlook Crash

Related Reading: Microsoft Patches Several Publicly Disclosed Flaws

Related Reading: Oracle Reissues Patch for Two-Year-Old Java Flaw

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.