Re: Possible DoS attack to NT boxes running OpenNT 2.1

[n3m0 () HOTMAIL COM (n3m0)]

First of all I must say that OpenNT it's a wonderful product. It works
really fine and it really surprise me everyday. My posting here was ONLY
intended to aware people for something I found and test, not to shoot a
product.


> There's two things wrong with this. First, it's hardly a DoS
> attack when you
> had to authenticate yourself to the system to make the attack. If an admin
> saw several dozen instances of a Win32 app belonging to user Nemo, said
> admin could simply call up Nemo and yell at him for sucking up memory.
> There's no anonymous attack here; no username/password, no access.


That's true. This is not a DoS attack on a traditional way. I mean, it's not
like 'teardrop', 'nestea' or whatever. But it could be a problem for those
systems offering anonymous or guest telnet access: a guest user could log
into the system and hang it.

You are also right when you say that I, the sysadmin, can face a registered
user who is trying to kill my system. But, anyway there's a lack of inner
security and it's also possible for a user to hang the computer before being
caught.


> Second, the Win32 GUI app is running just fine, in a non-displayed Windows
> Station. It is consuming some resources, but mostly swap space;
> no CPU time,
> once the app has started up and is waiting for user input. A user with
> appropriate privileges (say, Administrator) should be able to use
> TKILL.EXE
> or the Task Manager or any other appropriate utility to shoot the
> non-visible GUI app. Certainly, Nemo could log back on via telnet
> and shoot
> his own non-visible GUI app via tkill.


I'm sorry but I can't agree with this. I am the system administrator and I
have tested it thoroughly before I send my first post and I have tested
again before sending this new one. I have tried the experiment from accounts
with different access rights, even administrative ones, and NO ONE on the
system (Administrators included) could kill the process. They seem to be
"protected" system tasks. They may inherit this property from its parent
POSIX processes.

I couldn't find any file called TKILL.EXE, so I tryed to kill them trough
the Task Manager and the kill command, but none of them were able to free
the resources.

You say there's no CPU use... I must say this is not what I have suffer.
Sorry, but there IS CPU hogging. Its use rises to 100% and kernel activity
rises to 50% forever. Finally the foreground work turns horrible and the
operation turns impossible.

{Nemo}

---------------------------------------
Nemo - n3m0 () hotmail com

BlackBrains Security Team member
http://www.thepentagon.com/blackbrains/
http://blackbrains.onlinet.com
---------------------------------------