Re: w2k dos

[aleph1 () securityfocus com]

Summary of responses to the Windows local reboot vulnerability:

From: John H. Sawyer" <jsawyer () mail ifas ufl edu>

I tested this is in:
Win2k Pro (ENG) - SP2
Win2k Server (ENG) - no SP's

Pro gave a blue screen with a subsytem error and then rebooted.  Server
simply rebooted.


From: Chad Loder <cloder () acm org>:

Amazing. I can reproduce this on both of my Win2k
boxes. It helps if you totally spam the F7 and
ENTER keys while pinging.

Details of my systems:

System 1
- Win2k SP2, recent hotfixes applied
- dual P3 processors
- Netgear FA311 NIC
- Netgear FA312 NIC

System 2
- Win2k SP2, essentially same patch level as other machine
- single Intel P3 processor
- Netgear FA310-TX NIC


From: "Ben" <sacredknight () realmcity com>:

I confirmed this on a clean install of Win2k pro.


From: "Thomas Hall" <thall41 () home com>

Yup, I reproduced this on Win2K SP2 (English). Very Nasty ...

Actually, I can reproduce it by repeatedly pressing F7 and Enter during ANY
command that takes more than a few seconds to complete, like "dir \winnt".


From: Dan Bunker <danb () staff-abuzz com>

Confirmed on W2k Professional sp1. Not sure how many times I hit f7 as there
were multiple and it was cycling through them when it blue screened.

Blue screen showed a Stop C00021a, fatal system error, system shutdown.

That's the gist anyway as it rebooted pretty quickly and couldn't write it
all down fast enough.


From: "Martin Elster" <melster () chello no>

I've tested this on an English w2k sp2, and sure enough the machine
rebooted. Strange.

I've also tried it on a win2k Terminal Server sp1 (from a remote logon), and
this was not affected by the bug.


From: "Rob Round" <rob () web-sites com>

I just tried this and it happened exactly the way you tell it.  F7 and enter
a couple of times and the machine reboots, a window did popup but I hit
enter before I had a chance to read it and I'm not about to do it again.
I'm using 2000 server.


From: "alann lopes" <alann () ucsd edu>

Now that's a hell of a replacement for
a reset switch :)

Works like a charm for me with w2k-pro SP2

Happy rebooting...


From: Dennis Henderson <hendo () hendohome com>

Verfied.


From: Thor () HammerofGod com

Confirmed on W2k Adv Server, SP2.  At first, I waited until the ping
finished before hitting F7, and nothing happened.  But after I continually
hit F7 + Enter back-to-back about 4 times (while the ping was in progress),
it died with a STOP c0000021a.  The only thing I could find on c0000021a was
stuff way back on NT4.0 SP3.


From: Tres Ransom <tres.ransom () athlonsports com>

Yup, 
w2k sp2 all latest patches applied - hard drive dump then - reboot


From: "Niels Vaes" <nielzthabeast () hotmail com>

Tested and confirmed on W2k sp1 English version. However, Windows however
didn't rebooted immediatly. The command prompt froze and I opened Task
Manager to kill the command prompt. When the Task Manager was opened, my
computer rebooted.


From: "Tarick Bedeir" <tbedeir () terra net lb>

I've confirmed this on Windows 2000 Professional SP2 (English). Windows
XP (Whistler) Professional build 2462 (beta 2) does NOT have this
problem. 

Windows dies with STOP error C000021A (Fatal System Error): The Windows
SubSystem system process terminated unexpectedly with a status of
0xc0000005 (0x5ffb448c, 0x0040fa38). 0xc0000005 is an access violation.

F7 in a command prompt window usually brings up a list of
recently-executed commands. I tried F3 + enter and up-arrow + enter,
both of which would repeat the last command (like F7 + enter). Neither
stopped the system.


From: mark () fidelisconsulting com

Daniel,

This is one nasty bug.  
I've verified this to work on Win2K Pro SP2.  It took 3 F7s and my system
hard-booted as if I had hit the reset button.

On a Win2K Server SP2 on a terminal session (administrator mode) it doesn't
crash the box.  However:
 - You can create a "cmd.exe" session that is unkillable
 - You can't log off that session
 - You can't kill that session or "cmd.exe" process from the console
(taskmgr.exe)  
 - You can't log the user off from Terminal Services Manager
 - You can't create another instance of "cmd.exe" in that terminal session
 - A reboot is required to kill the session.


From: "David Page" <david () melaniepage worldonline co uk>

I tried this in winxp (Not win2k, i know, but they've a similar kernel
(exact?)).

It just brought up a list of the last commands/programs used, and enter
selects it and pastes + runs it.

It acted as it probably should - simply pasted the line and executed it.
(It didn't crash).


From: Marty Richards <marty () netwaynetworks com au>

Works on Win2k pro build 2195 SP1.

Very cute - nice find.


From: "Philip Stoev" <philip () stoev org>

I can confirm that on W2K Pro with SP2 fully patched. There is no need to
use the ping command, anyone will do.


From: "Emmanuel Zaspel" <newscontrol () bigfoot com>

It works on W2K Server German SP2 too, even as user with no rights
( only to logon local ) No Dump is saved only an Blue Screen in a form I've never seen on W2K
looks like Win9x :-) analysis will follow


From: "Martin Sander" <mail () martin-sander de>

German Win2k SP2 crashes also.


From: "Franck PERREAU" <franck.perreau () cw com>

Same behaviour here with an english and also french, both Advaced Server
SP2
Seems to be a real bug...


From: Shadow <shadow () ns biofarm ro>

I tried this on a Win2k Server with SP2.
If I try to ping a host from the run box, this doesn't work.
If I try to ping from a cmd shell, it works, instant reboot :)


From: "gsmith" <gsmith () onesecure com>

I'd say your machine has an issue...................no problem on my W2k
with SP2 loaded..........


From: "Nikolai V. Ivanyushin" <koko () infocenter bryansk ru>

Win2k Russian SP2 + all latest hotfixes - warm reboot.


From: "Thomas T. Soares" <ttsoares () orion ufrgs br>

Yes, this flaw exists in a W2k SP2 Portuguese version.


From: "xcjiang" <xcjiang () bayakala com>

I test it in my pc, nothing happened at all.


From: "Brian Henerey" <brian () cvu wustl edu>

I followed your instructions and it promptly caused my computer to reboot.


From: "Snyder, Kevin" <Kevin.Snyder () expanets com>

I experienced the same issue.

Setup:
Dell CPxJ
Windows 2000 Professional SP1 (factory install)
256MB Ram

At about eight attempts the workstation on which you are performing the
pings reboots.  There is a blue screen that I couldn't catch when the reboot
occurred.


From: "Stephen Evanchik" <myst564 () twcny rr com>

I can confirm that on Windows 2000 Professional SP2 English.


From: Will Saxon <WillS () housing ufl edu>

Absolutely, just tried with Win2k Server, SP2.


From: "Alex Renn Jr." <ray () txnet com>

I can confirm this bug exists in my w2k 5.00.2195 (Russian version).


From: <ever () podspodem art pl>

i did it and i couldn't see anything until... until i've pressed ^c to
stop the ping.
Then i saw BSOD and - reboot.
Working on win2k pl sp2.


From:  Ryan Ratkiewicz <ryan () pinkardcc com>

I can confirm this - Running Win2k Professional, SP2.


From: "Moorjani uday" <moorjani () svenson gp>

I can confirm the bug on the French version of Microsoft Windows 2000,
but I'm not sure it is a bug though, because my system did not reboot.
It sends me a dos window " 0: ping 192.168.1.6", after pressing "Enter",
it continues to ping the given ip.


From: "Mark L. Jackson" <mark_l_jackson () iname com>

running W2K sp2 English (and all IIS patches) development machine for web. .
unable to reproduce.


From: Ralf Ertzinger <ralf.ertzinger () gmx net>

Works. Even shuts down the IDE disks before rebooting.
W2k Pro German, SP1, all pre-SP2-Hotfixes


From: "David J Scordato" <david () scordato net>

Confirmed on Win2k SP2 International English - I received a bsd w/stop error.  Any hints from anyone on the cause?


From: <cybered () ns datasys com mx>

I try this on an Windows NT 4.0 SP6, many many hotfixes, it works...


From: "Stephen C Burns" <sburns () farpointer net>

Confirmed on W2K Professional and Server - note that this does not
reboot the machine, but stops it dead in it's tracks and requires you to
switch the power off and on.


From: Daniel Epstein <depstein () midway uchicago edu>

This is interesting.  I've been trying this for a little while today
and have found that this problem isn't limited to running ping.exe.  It
seems as if repeated pressing of <F7> + <Return> while running a
variety of processes invoked from the command shell will cause my
system to reboot after the process in question has completed.  I have
successfully tried this with the Windows 2000 SP2 versions of ping,
nbtstat, telnet, a for /l loop running copy, and sleep.  I have also
found that the <F7> + <Return> combination must be entered into the
session of cmd.exe that has spawned the child process.  Since <F7>
brings up a menu of the command history for cmd.exe, I suspect that
this may be where the problem lies.  However, it is a weekend and I am
getting tired of crashing my machine, so I think I will leave further
testing up to others.


From: Jay Gruner <getmyfax () gmx de>

Tested and verified on a German version of Win2k SP2. It looked liked 
starting to display a small grey window on top of the Command Window for 
some parts of a second (maybe an error-message), then harddisks stopped and 
the System got shut down to BlueScreen. Translated Message: Windows 
Subsystem shut down unexpectedly. System shut down (or halted).
User-Context was Administrator, the system otherwise is perfectly stable. 
Ping went out to a random host on the Net.


From: "Brendan Howes" <zeio () ix netcom com>

Another bug also confirmed on win2k pro sp2 with all IE hotfixen. This
one works on Advanced server as well, this shouldn^Òt come as a surprise.

Terminal Services on Adv. Server + Citrix Metaframe is also affected.

Funny, a large multiuser system can be brought to its knees from
userland.

Windows NT 3.51 and Winframe 1.8 are not affected. Cutler, you sold out
:0)

Not that userland processes killing NT is a new problem. 


From: "Helder Correia" <helder.correia () visto com>

yes, i get the same worm reboot when i "F7 - enter" on ping.
if i'm not mistaken, F7 gives u your last ping and enter pings it again.
so the reboot must be a DoS or flood to the net. so w2k reboots.
u don't have to b connected to a net 4 this 2 work.

i tried on the portuguese version, Windows 2000 Professional...


From: Nathan <cornet () sheepy org>

Just tried this on a win2k prof SP2 box and nothing...


From: "Eugene" <eugene () lk net>

So far it is confirmed that any command that is network-related and takes
over a second to execute, produces the desired results (warm reboot). Try
"ipconfig", "tracert", etc

Also vulnerable:

Win NT 4 Server Enterprise Edition, SP6A  English
Win NT 4 Workstation, SP6A English
Windows 2000 Advanced Server (no SP, SP1 and SP2)


From: "Ross Thomas" <ross () grinfinity com>

Confirmed to "work" with W2K Pro SP2 English.

A reboot occurs with ping and tracert, but not with dir. Presumably some
kind of weird command prompt/Winsock interaction.


From: "Andrew Hatfield" <andrew () hatfields com au>

Yes I can confirm this on Win2K Pro SP2 English (OEM)
Installed via RIS

Intel EEPro 10/100

Version 5.0.2195


From: "James Nelson" <xi () employees org>

This doesn't seem to work on Windows XP Professional, RC1.

As far as what permissions are necessary---I was able to reproduce this
on Windows 2000 SP2 using a test user who was only in the local Users
group.

If you close the command window by way of the X (or by double-clicking
the control box), the reboot won't happen. It's apparently only when the
history buffer has a chance to digest stuff.

Also, command.com (with doskey loaded) does not seem to be affected by
this, just cmd.exe.


From: Jim Popovitch <jimpop () yahoo com>

I saw similar results (F7 +Enter...) however I noticed that my
powersupply light on the front of my PC (ATX) went dark, yet the
computer was still running.  The screen was blank w/ a flashing cursor
in the upper left corner, and the NIC lights were flashing viciously.


From: Pyatro Buhalski <uucyce () tut by>

Successfully tested this on my nt4 sp6 workstation with ping,
netstat, tracert and other long-working utils. STOP error (0xc000021a)
occures after a huge delay (more than a minute) following pressing
F7-enter several times. Surprisingly, it doesn't reboot if
auto-reboot after STOP isn't specified (someone said it does on w2k).
I also tried pressing F7-enter once while pinging and got some
interesting result: after first ping nothing happens (just F7 menu
flashes and the command appears in the prompt). But after second one
(no matter, what you did between these commands), the cmd window just
hangs up. No reboot or anything else. Any ideas?

-- 
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum