Signature Detail

SMB: Remote Registry Request DoS

The anomaly detects a suspiciously large registry key in the OpenKey function executed using a named-pipe transaction. Large key sizes in the OpenKey function can cause the winlogon.exe process in Window NT 4.0 to crash. The key size to trigger this attack can be configured in the sensor settings of the policy.

Extended Description

In special circumstances while handling requests to access the Remote Registry Server, Windows NT 4.0 can crash due to winlogon.exe's inability to process specially malformed remote registry requests. Rebooting the machine would be required in order to regain normal functionality. Only authenticated users on the network would be able to exploit this vulnerability. If Windows NT was configured to deny all remote registry requests, it would not be affected by this vulnerability under any conditions.

Affected Products

• Microsoft Windows NT 4.0

References

• BugTraq: 1331
• CVE: CVE-2000-0377
• URL: http://www.securityfocus.com/data/vulnerabilities/exploits/crash_winlogon.c
• URL: http://www.microsoft.com/technet/security/bulletin/fq00-040.mspx