Multiple LPC Vulnerabilities Found in Windows NT/2000

Bindview RAZOR Team has identified multiple vulnerabilities in the implementation of LPC ports. The vulnerabilities, ranging from denial of service attacks to privledge escalation affect both Windows NT and Windows 2000

Steve Manzuik

October 3, 2000

2 Min Read
ITPro Today logo in a gray background | ITPro Today

Reported October 3, 2000 by Bindview RAZOR

VERSIONS AFFECTED

DESCRIPTIONMultiple vulnerabilities have been discovered in the implementation of LPC ports.  These vulnerabilities range from denial of service attacks to privilege escalation and effect Windows NT up to and including service pack 6a and Windows 2000 up to and including service pack 1.

Mostly undocumented, LPC ports are used as an inter-process communication mechanism by Windows NT and Windows 2000.

DEMONSTRATION

The first vulnerability affects Windows NT 4.0 up to and including service pack 6a only.  By discovering the pid, tid, and mid or an outstanding connection request a malicious user is able to hijack the connection by supplying a LPC_MSG with the correct pid, tid, and mid parameters.  

The second vulnerability is also a Windows NT 4.0 SP6.0a issue.  By modifying the first vulnerability an attacker could cause a blue screen of death (BSOD) 

The third vulnerability, also effecting only Windows NT 4.0 SP6.0a, is another denial of service attack resulting in a blue screen of death.  If a client connects to a specific LPC process and sends garbage text the Windows NT machine will suffer from a  BSOD.

Vulnerability number four affects both Windows NT and Windows 2000.  This vulnerability can be used for a variety of denial of service attacks and could even be exploited to gain privileges.

The fifth vulnerability is somewhat similar to a previous LPC Ports vulnerability also reported by Bindview RAZOR.  A malicious user could exploit a flaw in LPC ports and impersonate any arbitrary process gaining elevated privileges.  This is possible on both Windows NT and Windows 2000.  Not only could an attacker elevate his privileges, a similar vulnerability can also be used to read and write to any other process.

Finally, the sixth and last vulnerability, a denial of service can be performed on both Windows NT and Windows 2000.  By exploiting the design of LPC ports a malicious user could cause all available memory to be consumed.

Complete information plus proof of concept code has been made available at; http://razor.bindview.com/publish/advisories

VENDOR RESPONSE

Microsoft has released a security bulletin, MS00-070 available at;  http://www.microsoft.com/technet/security/bulletin/MS00-070.asp

Microsoft has also released hot-fixes available at; http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24650 and for Windows 2000; http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24649

CREDITDiscovered by Todd Sabin, Bindview RAZOR Team

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like