Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NTSEC] CPU Usage, Known NT 4.0 Security bugs

From: aleph1 () DFW NET (Aleph One)
Date: Sat, 25 Jan 1997 12:22:55 -0600

At 10:30 PM 1/24/97 -0500, Russ wrote:

After exploiting INETINFO and driving it to 100%, I then launched Excel
on the same machine. Utilization never dropped below 100% and Excel too
far longer to start than normal. After starting it, I shut it down,
still no dropback. I started IIS Manager to see if the exploited
INETINFO would allow me, it did, and I was able to start and stop
services, all without affecting the 100% utilization. Finally, I stopped
all the IIS services and immediately the INETINFO process disappeared
and utilization was normal. Starting the IIS services was successful,
and INETINFO started up again normal.

This bug is not in INETINFO, I know that for sure. There is no doubt the
process will peg the CPU at 100% until its stopped and does in fact tax
the CPU to 100%. As with the RPC bug, other processes can continue to
function as the pegged thread is at priority 8, again.

All of this testing has been done on NT 4.0 Server with SP2 and all 3
public fixes (that means with the kernel, ras, and rpc hot fixes).

Could someone please test this on their own IIS machine running on NT
3.51, do a portscan between 1020 and 1070 typically, and the first port
you find that responds, try the telnet to. Please, only do this to your
own machine. I very much need to know if this bug affects 3.51 machines
or not.


  Yes, affects. I've tested on a NT Server 3.51 Build 1057 SP 4 (no
hotfixes), with IIS 1.0 (probably 1.0D Build 157, but I'm not shure).

  But it have a little diferent behaviour:

  CPU goes to 100%, but the main responsible is TCPSVCS, with 75%-80% of
CPU time.

  Netstat shows:

---------
Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    helen:1028             localhost:1324         CLOSE_WAIT
----------


  IIS seems to be running normaly (services and manager). Stopping and
restarting it do nothing to CPU utilization.



Speaking of which, can anyone confirm for sure that the RPC bug affected
their 3.51 machine? Obviously the message sent out from Microsoft was


  Yes, tested on the same computer.


that it only affected 4.0 machines, but I had a few people tell me they
saw it on their 3.51 boxes, but when pushed for confirmation, they
haven't responded.




  Erich Siedler
  erich.siedler () omninet com br
Previous By Date Next
Previous By Thread Next

Current thread: