Re: Winsock 2.0 DoS

From: Brian S. McWilliams (bmcwat_private)
Date: Fri May 01 1998 - 19:57:29 PDT

Next message: Raj Singh: "[UPDATE] On WinSock 2.2 Woes"

Previous message: N. Toomey: "quakeworld exploit revisited"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Appears Microsoft has quietly addressed the Winsock 2.0 DoS bug.

http://support.microsoft.com/support/kb/articles/q184/2/42.asp

"The Vnbt.386 file installed into the Windows\System folder had an internal
problem: any attempt at NetBIOS name resolution on a name of 15 characters
containing at least two periods (.) resulted in internal memory problems.
The name resolution could be by any method (such as a NET USE command,
double-clicking a Network Neighborhood resource, or programmatically by a
program). Enabling or disabling DNS made no difference, the problem
occurred if any of the forms listed above was passed to Vnbt.386.

This problem could cause Windows to stop responding (hang) without warning.
Note that the Vnbt.386 file is TCP/IP-specific; NetBIOS name resolution on
NetBEUI and IPX/SPX were not affected. "

-Brian

At 09:24 PM 3/11/98 -0500, John Robinson wrote:
>If a user has the newest winsock patch for winsock 2.0, which can be
>located at :
>
>http://www.microsoft.com/windows95/info/ws2.htm
>
>and attempts to do an address lookup on a address which doesn't exist
>and is 13 characters long winsock will fault. This has been reproduced
>on several computers and it takes a couple of seconds of looking up to
>occur. This happens with every winsock program I've tested including
>Netscape 3, Ie 3.0, and MS ping. Example sites that work are:
>
>www.socois.cool
>www.pcorner.org
>blahd.yahoo.com
>
>This apparently only works on names that are exactly 13 characters long
>(not including periods).
>
>This is dangerous because web pages can simply redirect browswers to
>these pages or put img sources equal to nonexistent address entries
>which will crash winsock.
>
>
>johnr
>
>
>------------------------------------------------------------------------
>                            John Robinson
>johnrat_private          jjr4693at_private        robinsonat_private
>"Twenty years from now you will be more disappointed by the things you
> didn't do than by the things you did do. So throw off the bowlines. Sail
> away from the safe harbor. Catch the trade winds in your sails. Explore.
> Dream. Discover." Mark Twain
>------------------------------------------------------------------------
>

Next message: Raj Singh: "[UPDATE] On WinSock 2.2 Woes"
Previous message: N. Toomey: "quakeworld exploit revisited"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:52:07 PDT