Microsoft Product Support Services   All Products  |   Support  |   Search  |   microsoft.com Home  
microsoft.com
  Support Home  |   Find a Solution  |   Request Support  |   Custom Support  |

Malformed Request to Domain Controller Can Cause Memory Exhaustion


The information in this article applies to:
  • Microsoft Windows versions 2000, 2000 SP1 Server
  • Microsoft Windows versions 2000, 2000 SP1 Advanced Server


SYMPTOMS

A core service that runs on all Windows 2000 domain controllers (but not on any other computers), contains a memory leak that can be triggered when the service attempts to process a certain type of invalid service request. By repeatedly sending such a request, an attacker could deplete the available memory on the server. If memory were sufficiently depleted, the domain controller (DC) could become unresponsive, which would prevent it from processing logon requests or issuing new Kerberos tickets. Note that an affected computer could be restored to service by rebooting.

Mitigating Factors

  • Users who were already logged on and using previously-issued Kerberos tickets would not be affected by DC unavailability.


  • If there were multiple DCs on the domain, the unaffected computers could pick up the other computer's load.


  • If normal security practices have been followed, Internet users would be prevented (by use of firewalls and other measures) from levying requests directly to DCs.



RESOLUTION

This update supersedes the patch that is supplied with the following Microsoft security bulletin:

http://www.microsoft.com/technet/security/bulletin/MS01-011.asp
A supported fix is now available from Microsoft, but it is only intended to correct the problem described in this article and should be applied only to systems that are determined to be at risk of attack. Please evaluate your computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to your computer. Please see the associated Microsoft Security Bulletin to help make this determination. This fix may receive additional testing at a later time, to further ensure product quality. If your computer is sufficiently at risk, Microsoft recommends that you apply this fix now. Otherwise, wait for the next Windows 2000 service pack that contains this fix.

To resolve this problem immediately, download the fix as instructed below or contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information on support costs, please go to the following address on the World Wide Web:

http://support.microsoft.com/directory/overview.asp
NOTE: In special cases, charges that are normally incurred for support calls may be canceled, if a Microsoft Support Professional determines that a specific update will resolve your problem. Normal support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

The following file is available for download from the Microsoft Download Center:
[GRAPHIC: Download]Download Q294391_w2k_sp3_x86_EN.exe now
For additional information about how to download Microsoft Support files, click the article number below to view the article in the Microsoft Knowledge Base:
Q119591 How to Obtain Microsoft Support Files from Online Services
Microsoft used the most current virus detection software available on the date of posting to scan this file for viruses. Once posted, the file is housed on secure servers that prevent any unauthorized changes to the file.

The English version of this fix should have the following file attributes or later:
   Date        Time    Version        Size     File name
   ------------------------------------------------------------------
   03/28/2001  03:05p  5.0.2195.3422  354,576  Advapi32.dll
   03/28/2001  03:03p  5.0.2195.3422  519,440  Instlsa5.dll
   03/28/2001  03:05p  5.0.2195.3422  142,096  Kdcsvc.dll
   03/28/2001  01:36a  5.0.2195.3407  207,920  Kerberos.dll
   03/28/2001  01:31a  5.0.2195.3422   69,456  Ksecdd.sys
   03/28/2001  01:43a  5.0.2195.3422  501,520  Lsasrv.dll (128-bit)
   03/28/2001  01:43a  5.0.2195.3422  501,520  Lsasrv.dll (56-bit)
   03/28/2001  01:43a  5.0.2195.3422   33,552  Lsass.exe
   03/28/2001  03:05p  5.0.2195.3422  908,048  Ntdsa.dll
   03/28/2001  03:05p  5.0.2195.3422  382,224  Samsrv.dll
   03/28/2001  01:41a  5.0.2195.3422  127,760  Scecli.dll 


STATUS

Microsoft has confirmed this to be a problem in the Microsoft products that are listed at the beginning of this article.


MORE INFORMATION

For more information about this vulnerability, please see the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS01-024.asp
For additional information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the article number below to view the article in the Microsoft Knowledge Base:
Q249149 Installing Microsoft Windows 2000 and Windows 2000 Hotfixes

Additional query words: denial of dos

Keywords : kbenv kbtool kbWin2000PreSP3Fix kbgraphxlinkcritical
Issue type : kbbug
Technology : kbwin2000AdvServ kbwin2000AdvServSearch kbwin2000Serv kbwin2000Ssearch kbWinAdvServSearch kbWin2000AdvServSP1 kbwin2000ServSP1


Last Reviewed: June 1, 2001
© 2001 Microsoft Corporation. All rights reserved. Terms of Use.


Article ID: Q294391

Last Reviewed:
June 1, 2001

Send to a friend

Provided by
Microsoft Product Support Services


Did the information in this article help answer your question?

Yes
No
Did not apply

Please provide additional comments about this information.
(255 character max)