CVE-1999-1234

Vulnerability

The vulnerability resides in the Local Security Authority (LSA) subsystem (LSASS.EXE) in Windows NT 4.0. The MSRPC marshalling/unmarshalling code fails to handle a NULL policy handle, causing a crash when specific RPC functions are called with such a handle. The affected functions are SamrOpenDomain, SamrEnumDomainUsers, and SamrQueryDomainInfo. All versions of Windows NT 4.0, including Service Pack 5 (SP5) and the LSA3-fix hotfix, are vulnerable [1].

Exploitation

An unauthenticated remote attacker can trigger the denial of service by sending a crafted MSRPC call that includes a NULL policy handle to any of the three affected functions. No prior authentication or user interaction is required; the attacker only needs network access to the target system [1].

Impact

Successful exploitation causes the LSASS.EXE process to crash, resulting in a system-wide denial of service. The Windows NT 4.0 machine may become unstable or require a reboot to restore normal operation. No data disclosure or privilege escalation is achieved [1].

Mitigation

As of the last known public information (October 1999), Microsoft had not released a fix for this vulnerability despite being reported by Internet Security Systems in February 1999. Service Pack 3, 4, 5, and the LSA2-fix and LSA3-fix hotfixes do not address the issue [1]. No workaround is documented. Given the age of the software, Windows NT 4.0 is long out of support, and no patch is expected.