Bugtraq mailing list archives
Re: Vulnerability Report For Microsoft Windows NT 4.0 MSTask.exe code error
From: Andrew Church <achurch () ACHURCH ORG>
Date: Thu, 14 Dec 2000 13:31:01 JST
Windows 2000 Professional (5.00.2195, Japanese version) has MSTask.exe
but does not seem to be vulnerable. There is nothing listening on port 1026,
and the only other listening ports I found (1025 and 1220) did not cause
unusual behavior when fed random data (1220 closed the connection, and 1025
just sat there and took it without any visible resource consumption).
--Andrew Church
achurch () achurch org | New address - please note.
http://achurch.org/ | $B%a!<%k%"%I%l%9$,JQ$o$j$^$7$?!#(B
Vulnerability Report For Microsoft Windows NT 4.0 MSTask.exe code error Class: Unknown error Remotely Exploitable: Yes Locally Exploitable: Yes Risk: Medium Vendor status: Microsoft was notified on 7 December Vulnerability Description: MSTask.exe is an application that ships with the Windows NT 4.0 A strange behavior was discovered in the MSTask.exe code. If exploited, this vulnerability allows and attacker to slow down vulnerable Windows NT and sometimes to freeze it. Vulnerable Packages/Systems: Microsoft Windows NT 4.0 Workstation other systems was not tested. Solution/Vendor Information/Workaround: No solution I have found yet. Technical Description - Exploit/Concept Code: Technical Description - Exploit/Concept Code: It appears to me, from testing I have done, that MSTask.exe, usually listening on TCP 1026 (or some high port) will cause memory to be consumed if it is connected to and some random characters are sent to it. After such a connection, eventually the machine will freeze. The only solution appears to be a reboot. MSTask.exe, however, only permits connections via the localhost, or 127.0.0.1, so on most systems such an attack would have to originate from someone at the console (or connected via Terminal Server). However, if WinGate or Winproxy installed on the system, system becames vulnerable for remote attackers, because they can connect to system's 1026 tcp port via wingate or winproxy, and connection will be accepted. To reproduce the problem, use Winnt 4.0 Workstation. Do the following: 1. Start telnet.exe 2. Menu->Connect->Remote System=127.0.0.1 , Port=1026 3. Press 'Connect' button 4. When it is connects, type some random characters and press enter. 5. Close telnet.exe. Now you can see in taskmanager, that CPU usage is near 100% because of MSTask.exe. Sometimes (not always) system halts, sometimes MStask.exe listens on 1027 port or higher. I have tried to do this not only at my computer - it's always works. Windows 95/98 not vulnerable, because they has no MSTask.exe :-) Windows 2000 Enterprise Server has MSTask.exe and listens at 1026 port, but I dont check it. Any updates for this information available at http://www.eng.securityelf.net/exploit.mstask.php4 . ........................................................................... "Security/Elf.Net" Project - http://www.securityelf.net
Current thread:
- Re: Vulnerability Report For Microsoft Windows NT 4.0 MSTask.exe code error Andrew Church (Dec 15)
- Re: Vulnerability Report For Microsoft Windows NT 4.0 MSTask.exe code error Geoffroy RIVAT (Dec 16)
- Re: Vulnerability Report For Microsoft Windows NT 4.0 MSTask.exe code error Dan Carleton (Dec 16)