Re: Vulnerability Report For Microsoft Windows NT 4.0 MSTask.exe code error

[Geoffroy RIVAT <geoffroy () SICFA ORG>]

At 14/12/00 05:31, you wrote:
>      Windows 2000 Professional (5.00.2195, Japanese version) has MSTask.exe
> but does not seem to be vulnerable.  There is nothing listening on port 1026,
> and the only other listening ports I found (1025 and 1220) did not cause
> unusual behavior when fed random data (1220 closed the connection, and 1025
> just sat there and took it without any visible resource consumption).

I have tested on Windows NT 4.0 Server SP5 fr

MSTask.exe is running, the only port open is 1032 but not vulnerable in remote.
On local : cpu usage grow quickly.



>   --Andrew Church
>     achurch () achurch org | New address - please note.
>     http://achurch.org/ | $B%a!<%k%"%I%l%9$,JQ$o$j$^$7$?!#(B
>
> >      Vulnerability Report For Microsoft Windows NT 4.0 MSTask.exe code
> error
> >
> >Class: Unknown error
> >
> >Remotely Exploitable: Yes
> >
> >Locally Exploitable: Yes
> >
> >Risk: Medium
> >
> >Vendor status: Microsoft was notified on 7 December
> >
> >Vulnerability Description:
> >
> > MSTask.exe is an application that ships with the Windows NT 4.0
> > A strange behavior was discovered in the MSTask.exe code.
> > If exploited, this vulnerability allows and attacker to slow down
> > vulnerable Windows NT and sometimes to freeze it.
> >
> >Vulnerable Packages/Systems:
> >  Microsoft Windows NT 4.0 Workstation
> >  other systems was not tested.
> >
> >Solution/Vendor Information/Workaround:
> >
> >  No solution I have found yet.
> >
> >Technical Description - Exploit/Concept Code:
> >
> >
> >Technical Description - Exploit/Concept Code:
> >
> >It appears to me, from testing I have done, that MSTask.exe, usually
> >listening on TCP 1026 (or some high port) will cause memory to be consumed
> >if it is connected to and some random characters are sent to it. After such
> >a connection, eventually the machine will freeze. The only solution appears
> >to be a reboot.
> >
> >MSTask.exe, however, only permits connections via the localhost, or
> >127.0.0.1, so on most systems such an attack would have to originate from
> >someone at the console (or connected via Terminal Server).
> >
> >However, if WinGate or Winproxy installed on the system, system becames
> >vulnerable for remote attackers, because they can connect to system's
> 1026 tcp
> >port via wingate or winproxy, and connection will be accepted.
> >
> >To reproduce the problem, use Winnt 4.0 Workstation.
> >Do the following:
> >
> >1. Start telnet.exe
> >2.     Menu->Connect->Remote System=127.0.0.1 , Port=1026
> >3. Press 'Connect' button
> >4. When it is connects, type some random characters and press enter.
> >5. Close telnet.exe.
> >
> >Now you can see in taskmanager, that CPU usage is near 100% because of
> MSTask.exe.
> >Sometimes (not always) system halts, sometimes MStask.exe listens on
> 1027 port or higher.
> >I have tried to do this not only at my computer - it's always works.
> >Windows 95/98 not vulnerable, because they has no MSTask.exe :-)
> >Windows 2000 Enterprise Server has MSTask.exe and listens at 1026 port,
> but I dont check it.
> >
> >Any updates for this information available at
> http://www.eng.securityelf.net/exploit.mstask.php4 .
> >
> >...........................................................................
> >"Security/Elf.Net" Project - http://www.securityelf.net

--
Geoffroy RIVAT
geoffroy () sicfa org
ICQ: 39955422