Microsoft KB Archive/294391

= MS01-024: Malformed Request to Domain Controller Can Cause Memory Exhaustion =

Article ID: 294391

Article Last Modified on 9/26/2005

-

APPLIES TO


 * Microsoft Windows 2000 Service Pack 1
 * Microsoft Windows 2000 Service Pack 2
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Advanced Server

-



This article was previously published under Q294391



SYMPTOMS
A core service that runs on all Windows 2000 domain controllers (but not on any other computers), contains a memory leak that can be triggered when the service attempts to process a certain type of invalid service request. By repeatedly sending such a request, an attacker could deplete the available memory on the server. If memory were sufficiently depleted, the domain controller (DC) could become unresponsive, which would prevent it from processing logon requests or issuing new Kerberos tickets. Note that an affected computer could be restored to service by rebooting.

Mitigating Factors

 * Users who were already logged on and using previously-issued Kerberos tickets would not be affected by DC unavailability.
 * If there were multiple DCs on the domain, the unaffected computers could pick up the other computer's load.
 * If normal security practices have been followed, Internet users would be prevented (by use of firewalls and other measures) from levying requests directly to DCs.



RESOLUTION
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

The English version of this fix should have the following file attributes or later:

  Date         Time      Version         Size     File name --  6/27/2001   12:19p   5.0.2195.3787    501,520   Lsasrv.dll (56-bit) 6/27/2001  01:53p   5.0.2195.3787    355,088   Advapi32.dll 6/27/2001  01:50p   5.0.2195.3787    519,440   Instlsa5.dll 6/27/2001  01:53p   5.0.2195.3787    143,120   Kdcsvc.dll 6/26/2001  08:15p   5.0.2195.3781    197,392   Kerberos.dll 6/26/2001  08:16p   5.0.2195.3781     69,456   Ksecdd.sys 6/27/2001  12:20p   5.0.2195.3787    501,520   Lsasrv.dll 6/26/2001  08:16p   5.0.2195.3781     33,552   Lsass.exe 6/27/2001  01:53p   5.0.2195.3781    909,072   Ntdsa.dll 6/27/2001  01:53p   5.0.2195.3781    382,224   Samsrv.dll 6/27/2001  01:53p   5.0.2195.3781    128,784   Scecli.dll 6/27/2001  01:53p   5.0.2195.3649    299,792   Scesrv.dll



STATUS
Microsoft has confirmed that this problem may cause a degree of security vulnerability in Windows 2000. This problem was first corrected in Windows 2000 Service Pack 3.



MORE INFORMATION
For more information about this vulnerability, please see the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS01-024.mspx

For additional information about how to obtain a hotfix for Windows 2000 Datacenter Server, click the article number below to view the article in the Microsoft Knowledge Base:

265173 The Datacenter Program and Windows 2000 Datacenter Server Product

For additional information about how to install multiple hotfixes with only one reboot, click the article number below to view the article in the Microsoft Knowledge Base:

296861 Use QChain.exe to Install Multiple Hotfixes with One Reboot

Additional query words: denial of dos security_patch kbWin2000srp1

Keywords: kbbug kbfix kbwin2000presp3fix kbgraphxlinkcritical kbqfe kbwin2000sp3fix kbenv kbsecurity kbsechack kbhotfixserver KB294391

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.