MS01-024: Malformed Request to Domain Controller Can Cause Memory Exhaustion (294391)


The information in this article applies to:

  • Microsoft Windows 2000 Server SP1
  • Microsoft Windows 2000 Server SP2
  • Microsoft Windows 2000 Advanced Server SP1
  • Microsoft Windows 2000 Advanced Server SP2
This article was previously published under Q294391

SYMPTOMS

A core service that runs on all Windows 2000 domain controllers (but not on any other computers), contains a memory leak that can be triggered when the service attempts to process a certain type of invalid service request. By repeatedly sending such a request, an attacker could deplete the available memory on the server. If memory were sufficiently depleted, the domain controller (DC) could become unresponsive, which would prevent it from processing logon requests or issuing new Kerberos tickets. Note that an affected computer could be restored to service by rebooting.

Mitigating Factors

  • Users who were already logged on and using previously-issued Kerberos tickets would not be affected by DC unavailability.
  • If there were multiple DCs on the domain, the unaffected computers could pick up the other computer's load.
  • If normal security practices have been followed, Internet users would be prevented (by use of firewalls and other measures) from levying requests directly to DCs.

RESOLUTION

To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

The English version of this fix should have the following file attributes or later:
   Date         Time      Version         Size     File name
   ----------------------------------------------------------------------
   6/27/2001   12:19p   5.0.2195.3787    501,520   Lsasrv.dll (56-bit)
   6/27/2001   01:53p   5.0.2195.3787    355,088   Advapi32.dll
   6/27/2001   01:50p   5.0.2195.3787    519,440   Instlsa5.dll
   6/27/2001   01:53p   5.0.2195.3787    143,120   Kdcsvc.dll
   6/26/2001   08:15p   5.0.2195.3781    197,392   Kerberos.dll
   6/26/2001   08:16p   5.0.2195.3781     69,456   Ksecdd.sys
   6/27/2001   12:20p   5.0.2195.3787    501,520   Lsasrv.dll
   6/26/2001   08:16p   5.0.2195.3781     33,552   Lsass.exe
   6/27/2001   01:53p   5.0.2195.3781    909,072   Ntdsa.dll
   6/27/2001   01:53p   5.0.2195.3781    382,224   Samsrv.dll
   6/27/2001   01:53p   5.0.2195.3781    128,784   Scecli.dll
   6/27/2001   01:53p   5.0.2195.3649    299,792   Scesrv.dll

STATUS

Microsoft has confirmed that this problem may cause a degree of security vulnerability in Windows 2000. This problem was first corrected in Windows 2000 Service Pack 3.

MORE INFORMATION

For more information about this vulnerability, please see the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS01-024.mspx

For additional information about how to obtain a hotfix for Windows 2000 Datacenter Server, click the article number below to view the article in the Microsoft Knowledge Base:

265173 The Datacenter Program and Windows 2000 Datacenter Server Product

For additional information about how to install multiple hotfixes with only one reboot, click the article number below to view the article in the Microsoft Knowledge Base:

296861 Use QChain.exe to Install Multiple Hotfixes with One Reboot

Modification Type:MinorLast Reviewed:9/26/2005
Keywords:kbHotfixServer kbQFE kbbug kbenv kbfix kbgraphxlinkcritical KbSECHack kbSecurity kbWin2000PreSP3Fix kbWin2000sp3fix KB294391
©2004 Microsoft Corporation. All rights reserved.