Software Engineering Institute

The directory services provided by Microsoft's Active Directory are based on the Lightweight Directory Access Protocol (LDAP). Active Directory objects can be stored and retrieved using standard LDAPv3 requests. Core Security Technologies has discovered a flaw in the way the Active Directory service handles long LDAP requests.

This flaw occurs when an LDAP search request with more than 700 logical qualifiers (e.g., "AND" or "OR") is sent to the server. Exploitation of the flaw reportedly results in a stack overflow and subsequent crash of the Local Security Authority Sub-System (Lsass.exe) service. The death of the Lsass.exe process forces a shutdown of the Windows host system, resulting in a denial of service for the affected server.

Remote attackers may be able to crash the Active Directory server. This can result in a serious denial-of-service condition since the Active Directory service necessarily resides on Windows domain controllers. Unavailability of the domain controllers may affect normal operations within the domain.

Microsoft has included a patch for this issue in Windows 2000 Service Pack 4. For additional information, users are encouraged to review the following Microsoft Knowledge Base Articles:

319709 - An Access Violation Occurs in Lsass Because of a Stack Overflow
260910 - How to Obtain the Latest Windows 2000 Service Pack

Workarounds

Block or restrict access to the Active Directory service (port 389/tcp) from untrusted networks such as the Internet. As a general rule, the CERT/CC recommends that sites block all types of network traffic from sources that are not explicitly required for normal operation.