CVE-2000-1200 in Windows
Summary
by MITRE
Windows NT allows remote attackers to list all users in a domain by obtaining the domain SID with the LsaQueryInformationPolicy policy function via a null session and using the SID to list the users.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/06/2019
This vulnerability exists in Microsoft Windows NT operating systems and represents a significant information disclosure flaw that allows remote attackers to enumerate domain users without authentication. The vulnerability specifically leverages the LsaQueryInformationPolicy function within the Local Security Authority (LSA) to obtain the domain security identifier (SID) through a null session connection. This capability enables attackers to gain unauthorized visibility into domain user populations, which forms a critical foundation for subsequent social engineering and privilege escalation attacks.
The technical exploitation occurs through the use of null sessions, which are unauthenticated connections that Windows NT permits for certain administrative functions. When a null session is established, the LsaQueryInformationPolicy function can be invoked to retrieve the domain SID, which serves as a unique identifier for the entire domain. Once the domain SID is obtained, attackers can utilize this information to enumerate all users within the domain by constructing appropriate SID ranges and querying the system accordingly. This process bypasses normal authentication mechanisms and represents a fundamental flaw in the Windows NT security model's handling of unauthenticated requests.
The operational impact of this vulnerability extends far beyond simple information disclosure, as it provides attackers with comprehensive knowledge of domain user accounts that can be used for targeted attacks. An attacker who successfully exploits this vulnerability can compile detailed lists of domain users, including their account names and associated security identifiers, which significantly reduces the attack surface for subsequent exploitation attempts. This information can be used to craft targeted phishing campaigns, identify high-value accounts for privilege escalation, or facilitate credential stuffing attacks against domain user accounts. The vulnerability essentially provides a reconnaissance tool that enables attackers to map domain user populations without requiring any valid credentials or authentication.
The flaw aligns with CWE-200, which describes "Information Exposure" and specifically addresses the improper exposure of sensitive information to unauthorized actors. Additionally, this vulnerability relates to ATT&CK technique T1087.001, "Account Discovery: Local Account," and T1087.002, "Account Discovery: Domain Account," as it enables unauthorized discovery of domain user accounts through system functions that should require proper authentication. The vulnerability also demonstrates characteristics of privilege escalation through information gathering, as the enumeration capabilities directly support more sophisticated attack vectors.
Mitigation strategies for this vulnerability include implementing proper access controls and authentication mechanisms to prevent unauthorized null session establishment. Microsoft released patches and updates to address this issue in subsequent service packs and security updates for Windows NT. Organizations should ensure that all Windows NT systems are updated with the latest security patches and that proper network segmentation and firewall rules are implemented to restrict access to LSA functions. Additionally, implementing strong authentication requirements and disabling unnecessary null session access can significantly reduce the attack surface. Network administrators should also consider implementing monitoring and alerting for unusual LSA function access patterns that could indicate exploitation attempts.