Skip navigation
Menu
End-User Platforms>Windows 7/8

Multiple LPC Vulnerabilities Found in Windows NT/2000


 Reported October 3, 2000 by Bindview RAZOR

VERSIONS AFFECTED
  • Windows NT, Windows 2000

DESCRIPTION

Multiple vulnerabilities have been discovered in the implementation of LPC ports.  These vulnerabilities range from denial of service attacks to privilege escalation and effect Windows NT up to and including service pack 6a and Windows 2000 up to and including service pack 1.

Mostly undocumented, LPC ports are used as an inter-process communication mechanism by Windows NT and Windows 2000.

DEMONSTRATION

The first vulnerability affects Windows NT 4.0 up to and including service pack 6a only.  By discovering the pid, tid, and mid or an outstanding connection request a malicious user is able to hijack the connection by supplying a LPC_MSG with the correct pid, tid, and mid parameters.  

The second vulnerability is also a Windows NT 4.0 SP6.0a issue.  By modifying the first vulnerability an attacker could cause a blue screen of death (BSOD) 

The third vulnerability, also effecting only Windows NT 4.0 SP6.0a, is another denial of service attack resulting in a blue screen of death.  If a client connects to a specific LPC process and sends garbage text the Windows NT machine will suffer from a  BSOD.

Vulnerability number four affects both Windows NT and Windows 2000.  This vulnerability can be used for a variety of denial of service attacks and could even be exploited to gain privileges.

The fifth vulnerability is somewhat similar to a previous LPC Ports vulnerability also reported by Bindview RAZOR.  A malicious user could exploit a flaw in LPC ports and impersonate any arbitrary process gaining elevated privileges.  This is possible on both Windows NT and Windows 2000.  Not only could an attacker elevate his privileges, a similar vulnerability can also be used to read and write to any other process.

Finally, the sixth and last vulnerability, a denial of service can be performed on both Windows NT and Windows 2000.  By exploiting the design of LPC ports a malicious user could cause all available memory to be consumed.

Complete information plus proof of concept code has been made available at; http://razor.bindview.com/publish/advisories

VENDOR RESPONSE

Microsoft has released a security bulletin, MS00-070 available at;  http://www.microsoft.com/technet/security/bulletin/MS00-070.asp

Microsoft has also released hot-fixes available at; http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24650 and for Windows 2000; http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24649

CREDIT
 Discovered by Todd Sabin, Bindview RAZOR Team
TAGS: Security
Hide comments

More information about text formats

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish
Recommended Reading
PowerShell screenshot shows Where-Object cmdlet
How to Use the PowerShell Where-Object Cmdlet
Aug 04, 2022
shield_icon_laptop.jpg
What To Do When Windows Defender Is Not Working
Mar 15, 2022
Computer Screen Showing Password Dialog Box
Microsoft Edge Downloads Updated for Azure AD Sign-In & Sync
Aug 22, 2019
mktg-wp-nolabel5
How to Approach the Windows 7 to 10 Migration
Aug 01, 2019