Bugtraq mailing list archives
Re: Vulnerability Report For Microsoft Windows NT 4.0 MSTask.exe code error
From: Geoffroy RIVAT <geoffroy () SICFA ORG>
Date: Fri, 15 Dec 2000 10:40:01 +0100
At 14/12/00 05:31, you wrote:
Windows 2000 Professional (5.00.2195, Japanese version) has MSTask.exe but does not seem to be vulnerable. There is nothing listening on port 1026, and the only other listening ports I found (1025 and 1220) did not cause unusual behavior when fed random data (1220 closed the connection, and 1025 just sat there and took it without any visible resource consumption).
I have tested on Windows NT 4.0 Server SP5 fr MSTask.exe is running, the only port open is 1032 but not vulnerable in remote. On local : cpu usage grow quickly.
--Andrew Church achurch () achurch org | New address - please note. http://achurch.org/ | $B%a!<%k%"%I%l%9$,JQ$o$j$^$7$?!#(B > Vulnerability Report For Microsoft Windows NT 4.0 MSTask.exe code error > >Class: Unknown error > >Remotely Exploitable: Yes > >Locally Exploitable: Yes > >Risk: Medium > >Vendor status: Microsoft was notified on 7 December > >Vulnerability Description: > > MSTask.exe is an application that ships with the Windows NT 4.0 > A strange behavior was discovered in the MSTask.exe code. > If exploited, this vulnerability allows and attacker to slow down > vulnerable Windows NT and sometimes to freeze it. > >Vulnerable Packages/Systems: > Microsoft Windows NT 4.0 Workstation > other systems was not tested. > >Solution/Vendor Information/Workaround: > > No solution I have found yet. > >Technical Description - Exploit/Concept Code: > > >Technical Description - Exploit/Concept Code: > >It appears to me, from testing I have done, that MSTask.exe, usually >listening on TCP 1026 (or some high port) will cause memory to be consumed >if it is connected to and some random characters are sent to it. After such >a connection, eventually the machine will freeze. The only solution appears >to be a reboot. > >MSTask.exe, however, only permits connections via the localhost, or >127.0.0.1, so on most systems such an attack would have to originate from >someone at the console (or connected via Terminal Server). > >However, if WinGate or Winproxy installed on the system, system becames >vulnerable for remote attackers, because they can connect to system's 1026 tcp >port via wingate or winproxy, and connection will be accepted. > >To reproduce the problem, use Winnt 4.0 Workstation. >Do the following: > >1. Start telnet.exe >2. Menu->Connect->Remote System=127.0.0.1 , Port=1026 >3. Press 'Connect' button >4. When it is connects, type some random characters and press enter. >5. Close telnet.exe. > >Now you can see in taskmanager, that CPU usage is near 100% because of MSTask.exe. >Sometimes (not always) system halts, sometimes MStask.exe listens on 1027 port or higher. >I have tried to do this not only at my computer - it's always works. >Windows 95/98 not vulnerable, because they has no MSTask.exe :-) >Windows 2000 Enterprise Server has MSTask.exe and listens at 1026 port, but I dont check it. > >Any updates for this information available at http://www.eng.securityelf.net/exploit.mstask.php4 . > >........................................................................... >"Security/Elf.Net" Project - http://www.securityelf.net
-- Geoffroy RIVAT geoffroy () sicfa org ICQ: 39955422
Current thread:
- Re: Vulnerability Report For Microsoft Windows NT 4.0 MSTask.exe code error Andrew Church (Dec 15)
- Re: Vulnerability Report For Microsoft Windows NT 4.0 MSTask.exe code error Geoffroy RIVAT (Dec 16)
- Re: Vulnerability Report For Microsoft Windows NT 4.0 MSTask.exe code error Dan Carleton (Dec 16)