Guest

Cisco Security Agent

Field Notice: Winlogon Can Trigger a False Buffer Overflow in Windows XP


September 3, 2004


Products Affected

CSA - 4.0 Desktop XP

Problem Description

Winlogon sometimes triggers the buffer overflow protection of the Cisco Security Agent (CSA). This can occur on Windows XP Service Pack 2 machines logging into a domain. The result is that the user is not able to log onto the machine.

Background

Microsoft changed the characteristics of Winlogon in Service Pack 2 for Windows XP, which can trigger CSA's buffer overflow protection.

Problem Symptoms

The user will attempt to log into the Windows XP Service Pack 2 machine, but will be told there is a licensing problem and will be sent back to the login screen. However, the user will not be able to log into the machine, or may possibly see a blank Windows dialogue box with a large red dot with an "x" in it and not be able to log into the machine.

Below is a typical message found in csalog.txt file and the CSA MC from the problematic agent:

 
 [2004-07-30 14:22:24.546] [PID=1628] [Csamanager]: Event: The critical system application
 'C:WINDOWSsystem32winlogon.exe' (as user NT AUTHORITY\SYSTEM) tried to call the
 function CreateThread("") from a buffer (the return address was 0xa61b74). The code at this
 address is '50575368 833f0301 5757ff15 74120001 6668ae56 66506651 6650e87d
 c35a003b' This either happens when a program uses self-modifying code or when a program has
 been subverted by a buffer overflow attack. The user chose 'Terminate (not logged in).

Workaround/Solution

A hotfix is available for Windows XP Service Pack 2 machines that log into a domain. It would be applied to CSA version 4.0.3.716 and/or 4.0.3.717. The location for the hot fix is: Hotfixes for Cisco Security Agent (registered customers only)

For new installations, an updated build with this correction has been posted as CSA 4.0.3.720. The location for updated build is: .

It is recommended that the hotfix be applied. However, if you do not apply the fix, a workaround would be to exclude the winlogon.exe process entirely in the Trojan Detection Rule "Accessing system functions from code executing in data or stack space" subrule.

DDTS

To follow the bug ID link below and see detailed bug information, you must be a registered user and you must be logged in.

DDTS

Description

CSCef47065 (registered customers only)

Winlogon still causing a bufferoverflow in WinXP

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.