Bugtraq mailing list archives
Re: Possible DoS attack to NT boxes running OpenNT 2.1
From: n3m0 () HOTMAIL COM (n3m0)
Date: Sat, 15 Aug 1998 18:35:13 +0200
First of all I must say that OpenNT it's a wonderful product. It works really fine and it really surprise me everyday. My posting here was ONLY intended to aware people for something I found and test, not to shoot a product.
There's two things wrong with this. First, it's hardly a DoS attack when you had to authenticate yourself to the system to make the attack. If an admin saw several dozen instances of a Win32 app belonging to user Nemo, said admin could simply call up Nemo and yell at him for sucking up memory. There's no anonymous attack here; no username/password, no access.
That's true. This is not a DoS attack on a traditional way. I mean, it's not like 'teardrop', 'nestea' or whatever. But it could be a problem for those systems offering anonymous or guest telnet access: a guest user could log into the system and hang it. You are also right when you say that I, the sysadmin, can face a registered user who is trying to kill my system. But, anyway there's a lack of inner security and it's also possible for a user to hang the computer before being caught.
Second, the Win32 GUI app is running just fine, in a non-displayed Windows Station. It is consuming some resources, but mostly swap space; no CPU time, once the app has started up and is waiting for user input. A user with appropriate privileges (say, Administrator) should be able to use TKILL.EXE or the Task Manager or any other appropriate utility to shoot the non-visible GUI app. Certainly, Nemo could log back on via telnet and shoot his own non-visible GUI app via tkill.
I'm sorry but I can't agree with this. I am the system administrator and I have tested it thoroughly before I send my first post and I have tested again before sending this new one. I have tried the experiment from accounts with different access rights, even administrative ones, and NO ONE on the system (Administrators included) could kill the process. They seem to be "protected" system tasks. They may inherit this property from its parent POSIX processes. I couldn't find any file called TKILL.EXE, so I tryed to kill them trough the Task Manager and the kill command, but none of them were able to free the resources. You say there's no CPU use... I must say this is not what I have suffer. Sorry, but there IS CPU hogging. Its use rises to 100% and kernel activity rises to 50% forever. Finally the foreground work turns horrible and the operation turns impossible. {Nemo} --------------------------------------- Nemo - n3m0 () hotmail com BlackBrains Security Team member http://www.thepentagon.com/blackbrains/ http://blackbrains.onlinet.com ---------------------------------------
Current thread:
- Possible DoS attack to NT boxes running OpenNT 2.1 Nemo (Aug 03)
- <Possible follow-ups>
- Re: Possible DoS attack to NT boxes running OpenNT 2.1 Jason Zions (Aug 04)
- Re: Possible DoS attack to NT boxes running OpenNT 2.1 n3m0 (Aug 15)
- Explorer & ActiveX Adam Shostack (Aug 14)
- Re: Possible DoS attack to NT boxes running OpenNT 2.1 David LeBlanc (Aug 15)
- Re: Possible DoS attack to NT boxes running OpenNT 2.1 n3m0 (Aug 15)
- Re: Possible DoS attack to NT boxes running OpenNT 2.1 Robert Fesig (Aug 16)