Microsoft Security Bulletin MS01-024

Technical description:

A core service running on all Windows 2000 domain controllers (but not on any other machines) contains a memory leak, which can be triggered when it attempts to process a certain type of invalid service request. By repeatedly sending such a request, an attacker could deplete the available memory on the server. If memory were sufficiently depleted, the domain controller could become unresponsive, which would prevent it from processing logon requests or issuing new Kerberos tickets. An affected machine could be put back into service by rebooting.

Mitigating factors: 

Vulnerability identifier: CAN-2001-0237 

Tested Versions:

Microsoft tested Windows 2000 and Windows NT 4.0 to assess whether they are affected by this vulnerability. Previous versions are no longer supported, and may or may not be affected by this vulnerability.

What's the scope of the vulnerability?
What's the scope of the vulnerability? This is a denial of service vulnerability. By sending a series of specially malformed requests to a domain controller, an attacker could cause most or all of the machine's memory to be unavailable, potentially preventing it from authenticating users. In the worst case, the net result could be that new users might be unable to log on, and logged-on users might be unable to use some network resources. To restore normal service, the administrator would need to reboot the domain controller.
If there were multiple domain controllers on a domain, the other machines would assume part of the affected machine's load. Also, if best practices have been followed, the vulnerability could only be exploited by a user within the network -- the ports used in this attack should be blocked at the firewall.

What causes the vulnerability?
This vulnerability results because one of the services used by Windows 2000 domain controllers contains a memory leak that can be triggered via a particular type of invalid service request.

What is a memory leak?
A memory leak is an implementation error that depletes the available memory on a system. As a process on a computer runs, its memory needs tend to vary, depending on exactly what the process is doing from one minute to the next. When the process needs more memory, it requests it from the operating system; when it no longer needs the additional memory, it should return it to the operating system so it can be allocated to other processes.
If a process doesn't correctly return memory to the operating system, the memory remains assigned to the process, even though the process is no longer using it, and the memory can't be re-allocated. This effectively makes the section of memory unavailable. In this case, one of the processes that runs on Windows 2000 domain controllers has a memory leak that occurs only when certain invalid requests are made of it.

What could an attacker do via this vulnerability?
By repeatedly sending the domain controller the invalid request at issue here, an attacker could deplete the available pool of memory to the point where the machine's ability to respond to other, valid requests would slow or stop altogether.

What would be the effect of slowing or stopping the domain controller?
Let's consider the worst case, in which there's only a single domain controller in the domain, and the attacker depleted the machine's memory to the point where it was unable to respond to any requests at all. In this case, the principal effect would be to prevent the domain controller from logging new users onto the domain, and to prevent the machine from responding to queries to the Active Directory.

Would this prevent previously logged-on users from using network resources?
Not necessarily. Recall that Windows 2000 uses Kerberos as its default authentication protocol. In Kerberos, the domain controller does not authenticate every use of network resources, but instead provides a reusable ticket the first time a user requests a particular resource. When the user subsequently needs to use a particular resource, the domain controller doesn't need to be involved in the authentication process.
The upshot of this is that even if the domain controller were completely unavailable, it wouldn't prevent users who already had Kerberos tickets from using them. They could continue accessing all resources for which they had tickets. However, it would prevent the domain controller from issuing any new tickets for other resources.

What if the domain had several domain controllers?
In domains that contain multiple domain controllers, the machines work together and shift their workloads dynamically. The more domain controllers there are in a single domain, the less noticeable the loss of a single one would be.

How could an affected domain controller be put back into service?
An affected domain controller could be put back into service by rebooting the machine.

Couldn't I just disable the service that contains the flaw?
No. The affected service is one of the core services on Windows 2000 domain controllers and cannot be disabled.

Could this vulnerability be exploited from the Internet?
If normal security practices have been followed (blocking of TCP ports 88 or 464 at the firewall), this vulnerability could only be exploited from within an internal corporate network. Typically, domain controllers are not used as network edge machines, and firewalling would prevent users outside the corporate network from levying any requests directly upon them. If these practices have been followed, Internet users would not be able to send the malformed request to the affected service, and as a result they would be unable to exploit the vulnerability.

Does this vulnerability affect Windows NT® 4.0 domain controllers?
No. Only Windows 2000 domain controllers are affected.

Who should use the patch?
Microsoft recommends that customers consider installing the patch on their Windows 2000 domain controllers

What does the patch do?
The patch eliminates the vulnerability by causing the affected service to correctly treat as invalid the request at issue here.

Download locations for this patch

This patch has been superseded by the one provided in Microsoft Security Bulletin MS01-036.

Installation platforms:

This patch can be installed on systems running Windows 2000 Service Pack 1 or Service Pack 2.

Inclusion in future service packs:

The fix for this issue will be included in Windows 2000 Service Pack 3.

Superseded patches:

This update supersedes the patch supplied in Microsoft Security Bulletin MS01-011.

Verifying patch installation:

Use the information below only if you have installed the patch provided in this bulletin. If you install a patch that supersedes this one, use the verification information for the superseding patch.

•	To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP2\Q294391
•	To verify the individual files, use the date/time and version information provided in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP2\Q294391\Filelist

Caveats:

None

Localization:

Localized versions of this patch are available from the download locations listed in the section titled "Patch Availability".

Obtaining other security patches:

Patches for other security issues are available from the following locations:

•	Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
•	Patches are also available from the WindowsUpdate web site

Top of section