This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.
This signature detects an oversized request to the Microsoft Windows LSA DS (Local Security Authority Directory Service) associated with Active directory domains.
This service provides various operating system facilities such as client/server local and domain authentication and support for Active Directory features.
One of the more notable vulnerabilities in the Microsoft Windows LSASS (Local Security Authority Subsystem Service) service is a remotely exploitable stack-based buffer overflow vulnerability.
It is possible to trigger this condition by sending a malformed message to the service, which could occur remotely or locally via a component that passes information to LSASS. The specific issue is present within the Active Directory service functions which are exposed through the LSASS DCE/RPC endpoint. The vulnerable functionality is reportedly accessible over the LSARPC named pipe via TCP ports 139 and 445, though other RPC-related TDP/UDP ports should not be ruled out. The cause of the issue is insufficient bounds checking vsprintf() calls within Active Directory debug logging facilities. There are particular RPC functions that will accept excessive user-specified input to pass to the vulnerable calls when the logs are written.
There are a few factors that may complicate this vulnerability. In particular, if the output directory for the debug log file is on an NTFS file system, it may not be written to by an unprivileged user and the execution path required to exploit this issue will not be followed. Specifically, the RpcImpersonateClient() API may be called when exploitation occurs and if this fails then the log may not be written. However, there are some ways to circumvent the call to the RpcImpersonateClient() API. Through the undocumented DsRolerUpgradeDownlevelServer() function on Windows 2000 and XP, it is possible to circumvent the problematic API call to pass malicious data directly to the affected vsprintf() routine. As a result, DsRolerUpgradeDownlevelServer() may be used to trigger the overrun both locally and across the network.
Successful exploitation of this issue could allow a remote attacker to execute malicious code on a vulnerable system, resulting in full system compromise.
This issue could be exploited by an anonymous user on Microsoft Windows 2000 and XP operating systems. The issue may reportedly only be exploited by local, authenticated users on Microsoft Windows Server 2003 and Microsoft Windows XP 64-Bit Edition 2003.
It is possible that an exploit for this vulnerability could be incorporated into a worm.
It has been observed that W32.Gaobot and W32.RXBot worms are exploiting this issue to propagate.
- Avaya DefinityOne Media Servers
- Avaya IP600 Media Servers
- Avaya S3400 Message Application Server
- Avaya S8100 Media Servers
- Microsoft Windows 2000 Advanced Server SP1, SP2, SP3, SP4
- Microsoft Windows 2000 Datacenter Server SP1, SP2, SP3, SP4
- Microsoft Windows 2000 Professional SP1, SP2, SP3, SP4
- Microsoft Windows 2000 Server SP1, SP2, SP3, SP4
- Microsoft Windows Server 2003 Datacenter Edition
- Microsoft Windows Server 2003 Datacenter Edition Itanium
- Microsoft Windows Server 2003 Enterprise Edition
- Microsoft Windows Server 2003 Enterprise Edition Itanium
- Microsoft Windows Server 2003 Standard Edition
- Microsoft Windows Server 2003 Web Edition
- Microsoft Windows XP 64-bit Edition SP1
- Microsoft Windows XP 64-bit Edition Version 2003 SP1
- Microsoft Windows XP Home SP1
- Microsoft Windows XP Professional SP1