Bugtraq mailing list archives
Re: [NTSEC] CPU Usage, Known NT 4.0 Security bugs
From: aleph1 () DFW NET (Aleph One)
Date: Sat, 25 Jan 1997 12:22:55 -0600
At 10:30 PM 1/24/97 -0500, Russ wrote:
After exploiting INETINFO and driving it to 100%, I then launched Excel on the same machine. Utilization never dropped below 100% and Excel too far longer to start than normal. After starting it, I shut it down, still no dropback. I started IIS Manager to see if the exploited INETINFO would allow me, it did, and I was able to start and stop services, all without affecting the 100% utilization. Finally, I stopped all the IIS services and immediately the INETINFO process disappeared and utilization was normal. Starting the IIS services was successful, and INETINFO started up again normal. This bug is not in INETINFO, I know that for sure. There is no doubt the process will peg the CPU at 100% until its stopped and does in fact tax the CPU to 100%. As with the RPC bug, other processes can continue to function as the pegged thread is at priority 8, again. All of this testing has been done on NT 4.0 Server with SP2 and all 3 public fixes (that means with the kernel, ras, and rpc hot fixes). Could someone please test this on their own IIS machine running on NT 3.51, do a portscan between 1020 and 1070 typically, and the first port you find that responds, try the telnet to. Please, only do this to your own machine. I very much need to know if this bug affects 3.51 machines or not.
Yes, affects. I've tested on a NT Server 3.51 Build 1057 SP 4 (no hotfixes), with IIS 1.0 (probably 1.0D Build 157, but I'm not shure). But it have a little diferent behaviour: CPU goes to 100%, but the main responsible is TCPSVCS, with 75%-80% of CPU time. Netstat shows: --------- Active Connections Proto Local Address Foreign Address State TCP helen:1028 localhost:1324 CLOSE_WAIT ---------- IIS seems to be running normaly (services and manager). Stopping and restarting it do nothing to CPU utilization.
Speaking of which, can anyone confirm for sure that the RPC bug affected their 3.51 machine? Obviously the message sent out from Microsoft was
Yes, tested on the same computer.
that it only affected 4.0 machines, but I had a few people tell me they saw it on their 3.51 boxes, but when pushed for confirmation, they haven't responded.
Erich Siedler erich.siedler () omninet com br
Current thread:
- Re: [NTSEC] CPU Usage, Known NT 4.0 Security bugs Russ (Jan 25)
- <Possible follow-ups>
- Re: [NTSEC] CPU Usage, Known NT 4.0 Security bugs Aleph One (Jan 25)