SecureXpert Labs Advisory [SX-98.12.30-01]

From: SecureXpert DIRECT Sender (sxdirectat_private)
Date: Wed Dec 30 1998 - 18:27:02 PST

Next message: David Gale: "nmap kills hylafax too."

Previous message: Josh Bailey: "Re: Comparison of THC-SCAN v2.0 with Sandstorm PhoneSweep 1.02"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

SecureXpert Labs Advisory [SX-98.12.30-01]
This advisory updates advisory [SX-98.12.23-01]

DoS vulnerability in Novell Intranetware Client 3.0.0.0

Reported by: SecureXpert Labs


WARNING: this information is based on early analysis.  The subject matter
is still the subject of active research by SecureXpert Labs and others.
Legal: www.securexpert.com/legal.html


Summary

The previously reported Denial of Service vulnerability in Microsoft
Windows 98 has proven upon further investigation NOT to be a vulnerability
in the Microsoft Windows 98 product. Microsoft Windows 98, in a default
installation without third-party software, is not vulnerable to the attack
reported in [SX-98.12.30-01].

However, a vulnerability exists in the Novell Intranetware Client version
3.0.0.0 (as distributed with Novell Netware 5) which affects all Windows
95 and Windows 98 systems on which the Novell Intranetware Client version
3.0.0.0 is installed.

Windows 95 and Windows 98 systems with the Novell Intranetware Client
installed experience a critical error (Blue Screen) when scanned with the
popular port-scanner tool "nmap" (http://www.insecure.org/nmap) in
"half-open" scanning mode (-sS).

Specifically, the vulnerable service in the Intranetware client is the SLP
Request service on TCP port 427.  The command "nmap -sS -p427 target.com",
which scans only port 427 on the target system with a TCP half-open
sequence, causes an immediate Blue Screen condition.  This condition is
recoverable; however subsequently the affected system loses all TCP
network connectivity.  Similarly, any "nmap -sS" scan which includes port
427 in the range of scanned ports causes the same fault (on most systems
this includes the default scan with no ports specified).

The nmap tool includes features which permit it to scan large regions of
Internet address space.  Any Windows 95 or Windows 98 systems with the
Novell Intranetware Client installed found within any scanned region will
be affected.

Novell Inc. and Microsoft Corp. have received advance notice of this
vulnerability.

SecureXpert Labs wishes to thank Bruce Allison of Obsidian Networks for
his valuable assistance in the reproduction of this vulnerability.

Next message: David Gale: "nmap kills hylafax too."
Previous message: Josh Bailey: "Re: Comparison of THC-SCAN v2.0 with Sandstorm PhoneSweep 1.02"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:26:50 PDT