Bugtraq mailing list archives
SNI-25: Windows NT Denial of Service
From: sni () SECURENETWORKS COM (Secure Networks Inc.)
Date: Sat, 14 Feb 1998 16:34:51 -0700
It is not customary for Secure Networks Inc. to release advisories on weekends, however a fix for the problem within this advisory was made available on Friday, February 13. -----BEGIN PGP SIGNED MESSAGE----- ###### ## ## ###### ## ### ## ## ###### ## # ## ## ## ## ### ## ###### . ## ## . ######. Secure Networks Inc. Security Advisory February 14, 1998 Windows NT Logon Denial of Service This advisory addresses a denial of service attack which can be launched against Microsoft Windows NT servers. When launched, this attack results in a "Blue Screen", causing the Windows NT system to reboot. This vulnerability affects Windows NT systems, including systems which have installed Service Pack 3 and all hotfixes. Problem Description ~~~~~~~~~~~~~~~~~~~ Windows NT utilizes the SMB/CIFS protocol for network file sharing and other communications. To access the SMB/CIFS service on a Windows NT system, a logon request is initiated. Due to incorrect processing of the SMB logon packet, memory corruption occurs within the Windows NT kernel. As a result of corruption, a "Blue Screen" occurs, and the system reboots, and in some instances hangs on this screen. This attack can be launched without a valid login and password, since corruption occurs during processing of the logon request. Technical Details ~~~~~~~~~~~~~~~~~ An SMB logon packet contains the following data: - Username - Password - Operating system - Lan Manager type - Domain The SMB logon request contains the size of data which follows. When the size of data which is specified in the request does not correspond to the size of data which is actually present, corruption occurs. Impact ~~~~~~ Malicious users can launch denial of service attacks against Microsoft Windows NT systems. Vulnerable Systems ~~~~~~~~~~~~~~~~~~ Systems which have shown to be vulnerable to this attack include the following: - Windows NT 4.0 - Windows NT 4.0 with SP3 installed - Windows NT 4.0 with SP3 and hotfixes installed Fix Information ~~~~~~~~~~~~~~~ Microsoft has issued a patch for Windows NT to solve this problem at the following location: ftp site : ftp.microsoft.com directory: /bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP3/srv-fix Additional Information ~~~~~~~~~~~~~~~~~~~~~~ To the best of our knowledge no program to exploit this problem has been made publicly availible. For additional information see Microsoft Knowledge Base article Q180963. This problem was discovered by Oliver Friedrichs <oliver () securenetworks com> You can browse our web site at http://www.secnet.com You can subscribe to our security advisory mailing list by sending mail to majordomo () secnet com with the line "subscribe sni-advisories" You can find Secure Networks papers at ftp://ftp.secnet.com/pub/papers and advisories at ftp://ftp.secnet.com/advisories You can contact Secure Networks Inc. at <sni () secnet com> using the following PGP key: Type Bits/KeyID Date User ID pub 1024/9E55000D 1997/01/13 Secure Networks Inc. <sni () secnet com> Secure Networks <security () secnet com> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3ia mQCNAzLaFzIAAAEEAKsVzPR7Y6oFN5VPE/Rp6Sm82oE0y6Mkuof8QzERV6taihn5 uySb31UeNJ4l6Ud9alOPT/0YdeOO9on6eD1iU8qumFxzO3TLm8nTAdZehQSAQfoa rWmpwj7KpXN/3n+VyBWvhpBdKxe08SQN4ZjvV5HXy4YIrE5bTbgIhFKeVQANAAUR tCVTZWN1cmUgTmV0d29ya3MgSW5jLiA8c25pQHNlY25ldC5jb20+iQCVAwUQM1yd EB/bLKAOe7p9AQFptAQAiYpaZCpSmGgr05E698Z3t5r5BPAKUEtgvF53AvZUQLxz ZsYsVU5l5De0qKWJOQ/9LiDyWu1lvKhlTphbLy2RatWD4kO3oQL9v3TpSXm2WQhU uIzyZvj7S5ENodNnKn+gCDIvbou6OMot+7dRbWWgN2oabbru4CSlOxbG++yaTz+J AJUDBRAzTefbtOXez5VgyLkBAd0bA/43eGEgvPOFK+HHWCPpkSWCwtrtDU/dxOVz 9erHnT/CRxeojCI+50f71Qe+kvx9Q1odz2Jl/fLxhnPQdbPnpWblIbu4F8H+Syrj HTilDrl1DWa/nUNgK8sb27SMviELczP1a8gwA1eo5SUCG5TWLLTAzjWOgTxod2Ha OwseUHmqVIkAlQMFEDNOVsr/d6Iw8NVIbQEBxM0D/14XRfgSLwszgJcVbslMHm/B fF6tHoWYojzQle3opOuMYHNN8GsMZRkc1qQ8QuNA9Aj5+qDqEontGjV5IvhBu1fY FM77AhagskaFCZxwqV64Qrk328WDO89NGSd+RuovVNruDdn20TxNCEVuPTHjI0UA 8H+E6FW9jexg6RTHhPXYtCVTZWN1cmUgTmV0d29ya3MgPHNlY3VyaXR5QHNlY25l dC5jb20+iQCVAwUQMtqTKB/bLKAOe7p9AQFw5wQAgUwqJ+ZqfEy/lO1srU3nzxLA X0uHGHrMptRy/LFo8swD6G1TtWExUc3Yv/6g2/YK09b5WmplEJ+Q09maQIw+RU/s cIY+EsPauqIq4JTGh/Nm0Z4UDl2Y1x4GNtm0YqezxUPS0P0A3LHVLJ3Uo5og0G8O gPNrfbVz5ieT14OSCWCJAJUDBRAy2hd2/3eiMPDVSG0BAVNhBACfupfAcNhhnQaq aI03DOOiZSRjvql1xw4V+pPhM+IksdSK3YNUZVJJtANacgDhBT+jAPRaYbBWI3A5 ZMdcSNM8aTG0LWMLIOiOYEm6Lgd3idRBFN0Js08eyITl8mhZ33mDe4I0KQri9UiV ZcPYTbb9CWM6Hv2cMbt6S6kLnFziqIkAlQMFEDLaF0+4CIRSnlUADQEBCLoEAJwt UofDgvyZ4nCDx1KKAPkkXBRaPMWBp46xeTVcxaYiloZfwHfpk1h2mEJAxmAsvizl OtIppHl4isUxcGi/E2mLCLMvis22/IQP/9obPahPvgNaMLVtZljO1Nv3QFEkNciL FEUTNJHR1ko7ibCxkBs4cOpirFuvTMDvWnNaXAf8 =DchE - -----END PGP PUBLIC KEY BLOCK----- Copyright Notice ~~~~~~~~~~~~~~~~ The contents of this advisory are Copyright (C) 1998 Secure Networks Inc, and may be distributed freely provided that no fee is charged for distribution, and that proper credit is given. -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBNOYhG7gIhFKeVQANAQFu5QP/ezhbsUG5vZMu2stCRTCb4mCVYA/xWNS2 GNW8az+x7hTi+Hf02IHdDrpeA9urdMfqdYAPo0W41qCkF3vzoQXPKPcDdxZV2ySC yJs47AaVrkswzS5nFGcE3sKN5XtBPKzadx5dmL4xSI4gkv9y+Bc4EgAZNuJRJlwH E91HYZesX2E= =w29Q -----END PGP SIGNATURE-----
Current thread:
- SNI-25: Windows NT Denial of Service Secure Networks Inc. (Feb 14)