4.9.5. dssetup interface

The dssetup interface (Directory Services Setup) is used in Active Directory environments. The first operation, DsRolerGetPrimaryDomainInformation, is used to query the configuration of an Active Directory domain member system.

IDL (Interface Definition Language) for the dssetup interface is available in Samba 4 [54].

The dssetup interface runs in the LSA on Windows 2000 and later and supports at least one operation:

Table 4.19. dssetup operations

InterfaceOperation numberOperation nameWindows API
3919286a-b10c-11d0-9ba8-00c04fd92ef5 v0.0: dssetup   
Windows 2000 and >0x00DsRolerGetPrimaryDomainInformationDsRoleGetPrimaryDomainInformation
Windows 2000 and Windows XP (before MS04-011)0x01DsRolerDnsNameToFlatName 
- 0x02DsRolerDcAsDc 
- 0x03DsRolerDcAsReplica 
- 0x04DsRolerDemoteDc 
- 0x05DsRolerGetDcOperationProgress 
- 0x06DsRolerGetDcOperationResults 
- 0x07DsRolerCancel 
- 0x08DsRolerServerSaveStateForUpgrade 
- 0x09DsRolerUpgradeDownlevelServer 
- 0x0aDsRolerAbortDownlevelServerUpgrade 

A buffer overflow in a logging function in lsasrv.dll was discovered by eEye [84] on 2004/04/13 and fixed in the MS04-011 [85] Microsoft security patch. This buffer overflow can be specifically exploited with the DsRolerUpgradeDownlevelServer operation to gain the SYSTEM privilege, because this specific operation does not impersonate the security context of the caller (i.e., does not call RpcImpersonateClient()).

This buffer overflow has been exploited by the Sasser worm [86], discovered on 2004/04/30.

Starting with Windows Server 2003, these operations belong to the dsrole interface, which can not be accessed remotely, as explained below. Only the first operation, DsRolerGetPrimaryDomainInformation, is available in the dssetup interface.

The MS04-011 security patch also removed all operations of the dssetup interface except the first one (DsRolerGetPrimaryDomainInformation) on Windows 2000 and Windows XP.