Summary of responses to the Windows local reboot vulnerability: From: John H. Sawyer" <jsawyerat_private> I tested this is in: Win2k Pro (ENG) - SP2 Win2k Server (ENG) - no SP's Pro gave a blue screen with a subsytem error and then rebooted. Server simply rebooted. From: Chad Loder <cloderat_private>: Amazing. I can reproduce this on both of my Win2k boxes. It helps if you totally spam the F7 and ENTER keys while pinging. Details of my systems: System 1 - Win2k SP2, recent hotfixes applied - dual P3 processors - Netgear FA311 NIC - Netgear FA312 NIC System 2 - Win2k SP2, essentially same patch level as other machine - single Intel P3 processor - Netgear FA310-TX NIC From: "Ben" <sacredknightat_private>: I confirmed this on a clean install of Win2k pro. From: "Thomas Hall" <thall41at_private> Yup, I reproduced this on Win2K SP2 (English). Very Nasty ... Actually, I can reproduce it by repeatedly pressing F7 and Enter during ANY command that takes more than a few seconds to complete, like "dir \winnt". From: Dan Bunker <danb@staff-abuzz.com> Confirmed on W2k Professional sp1. Not sure how many times I hit f7 as there were multiple and it was cycling through them when it blue screened. Blue screen showed a Stop C00021a, fatal system error, system shutdown. That's the gist anyway as it rebooted pretty quickly and couldn't write it all down fast enough. From: "Martin Elster" <melsterat_private> I've tested this on an English w2k sp2, and sure enough the machine rebooted. Strange. I've also tried it on a win2k Terminal Server sp1 (from a remote logon), and this was not affected by the bug. From: "Rob Round" <rob@web-sites.com> I just tried this and it happened exactly the way you tell it. F7 and enter a couple of times and the machine reboots, a window did popup but I hit enter before I had a chance to read it and I'm not about to do it again. I'm using 2000 server. From: "alann lopes" <alannat_private> Now that's a hell of a replacement for a reset switch :) Works like a charm for me with w2k-pro SP2 Happy rebooting... From: Dennis Henderson <hendoat_private> Verfied. From: Thorat_private Confirmed on W2k Adv Server, SP2. At first, I waited until the ping finished before hitting F7, and nothing happened. But after I continually hit F7 + Enter back-to-back about 4 times (while the ping was in progress), it died with a STOP c0000021a. The only thing I could find on c0000021a was stuff way back on NT4.0 SP3. From: Tres Ransom <tres.ransomat_private> Yup, w2k sp2 all latest patches applied - hard drive dump then - reboot From: "Niels Vaes" <nielzthabeastat_private> Tested and confirmed on W2k sp1 English version. However, Windows however didn't rebooted immediatly. The command prompt froze and I opened Task Manager to kill the command prompt. When the Task Manager was opened, my computer rebooted. From: "Tarick Bedeir" <tbedeirat_private> I've confirmed this on Windows 2000 Professional SP2 (English). Windows XP (Whistler) Professional build 2462 (beta 2) does NOT have this problem. Windows dies with STOP error C000021A (Fatal System Error): The Windows SubSystem system process terminated unexpectedly with a status of 0xc0000005 (0x5ffb448c, 0x0040fa38). 0xc0000005 is an access violation. F7 in a command prompt window usually brings up a list of recently-executed commands. I tried F3 + enter and up-arrow + enter, both of which would repeat the last command (like F7 + enter). Neither stopped the system. From: markat_private Daniel, This is one nasty bug. I've verified this to work on Win2K Pro SP2. It took 3 F7s and my system hard-booted as if I had hit the reset button. On a Win2K Server SP2 on a terminal session (administrator mode) it doesn't crash the box. However: - You can create a "cmd.exe" session that is unkillable - You can't log off that session - You can't kill that session or "cmd.exe" process from the console (taskmgr.exe) - You can't log the user off from Terminal Services Manager - You can't create another instance of "cmd.exe" in that terminal session - A reboot is required to kill the session. From: "David Page" <davidat_private> I tried this in winxp (Not win2k, i know, but they've a similar kernel (exact?)). It just brought up a list of the last commands/programs used, and enter selects it and pastes + runs it. It acted as it probably should - simply pasted the line and executed it. (It didn't crash). From: Marty Richards <martyat_private> Works on Win2k pro build 2195 SP1. Very cute - nice find. From: "Philip Stoev" <philipat_private> I can confirm that on W2K Pro with SP2 fully patched. There is no need to use the ping command, anyone will do. From: "Emmanuel Zaspel" <newscontrolat_private> It works on W2K Server German SP2 too, even as user with no rights ( only to logon local ) No Dump is saved only an Blue Screen in a form I've never seen on W2K looks like Win9x :-) analysis will follow From: "Martin Sander" <mail@martin-sander.de> German Win2k SP2 crashes also. From: "Franck PERREAU" <franck.perreauat_private> Same behaviour here with an english and also french, both Advaced Server SP2 Seems to be a real bug... From: Shadow <shadowat_private> I tried this on a Win2k Server with SP2. If I try to ping a host from the run box, this doesn't work. If I try to ping from a cmd shell, it works, instant reboot :) From: "gsmith" <gsmithat_private> I'd say your machine has an issue...................no problem on my W2k with SP2 loaded.......... From: "Nikolai V. Ivanyushin" <kokoat_private> Win2k Russian SP2 + all latest hotfixes - warm reboot. From: "Thomas T. Soares" <ttsoaresat_private> Yes, this flaw exists in a W2k SP2 Portuguese version. From: "xcjiang" <xcjiangat_private> I test it in my pc, nothing happened at all. From: "Brian Henerey" <brianat_private> I followed your instructions and it promptly caused my computer to reboot. From: "Snyder, Kevin" <Kevin.Snyderat_private> I experienced the same issue. Setup: Dell CPxJ Windows 2000 Professional SP1 (factory install) 256MB Ram At about eight attempts the workstation on which you are performing the pings reboots. There is a blue screen that I couldn't catch when the reboot occurred. From: "Stephen Evanchik" <myst564at_private> I can confirm that on Windows 2000 Professional SP2 English. From: Will Saxon <WillSat_private> Absolutely, just tried with Win2k Server, SP2. From: "Alex Renn Jr." <rayat_private> I can confirm this bug exists in my w2k 5.00.2195 (Russian version). From: <everat_private> i did it and i couldn't see anything until... until i've pressed ^c to stop the ping. Then i saw BSOD and - reboot. Working on win2k pl sp2. From: Ryan Ratkiewicz <ryanat_private> I can confirm this - Running Win2k Professional, SP2. From: "Moorjani uday" <moorjaniat_private> I can confirm the bug on the French version of Microsoft Windows 2000, but I'm not sure it is a bug though, because my system did not reboot. It sends me a dos window " 0: ping 192.168.1.6", after pressing "Enter", it continues to ping the given ip. From: "Mark L. Jackson" <mark_l_jacksonat_private> running W2K sp2 English (and all IIS patches) development machine for web. . unable to reproduce. From: Ralf Ertzinger <ralf.ertzingerat_private> Works. Even shuts down the IDE disks before rebooting. W2k Pro German, SP1, all pre-SP2-Hotfixes From: "David J Scordato" <davidat_private> Confirmed on Win2k SP2 International English - I received a bsd w/stop error. Any hints from anyone on the cause? From: <cyberedat_private> I try this on an Windows NT 4.0 SP6, many many hotfixes, it works... From: "Stephen C Burns" <sburnsat_private> Confirmed on W2K Professional and Server - note that this does not reboot the machine, but stops it dead in it's tracks and requires you to switch the power off and on. From: Daniel Epstein <depsteinat_private> This is interesting. I've been trying this for a little while today and have found that this problem isn't limited to running ping.exe. It seems as if repeated pressing of <F7> + <Return> while running a variety of processes invoked from the command shell will cause my system to reboot after the process in question has completed. I have successfully tried this with the Windows 2000 SP2 versions of ping, nbtstat, telnet, a for /l loop running copy, and sleep. I have also found that the <F7> + <Return> combination must be entered into the session of cmd.exe that has spawned the child process. Since <F7> brings up a menu of the command history for cmd.exe, I suspect that this may be where the problem lies. However, it is a weekend and I am getting tired of crashing my machine, so I think I will leave further testing up to others. From: Jay Gruner <getmyfaxat_private> Tested and verified on a German version of Win2k SP2. It looked liked starting to display a small grey window on top of the Command Window for some parts of a second (maybe an error-message), then harddisks stopped and the System got shut down to BlueScreen. Translated Message: Windows Subsystem shut down unexpectedly. System shut down (or halted). User-Context was Administrator, the system otherwise is perfectly stable. Ping went out to a random host on the Net. From: "Brendan Howes" <zeioat_private> Another bug also confirmed on win2k pro sp2 with all IE hotfixen. This one works on Advanced server as well, this shouldn^Òt come as a surprise. Terminal Services on Adv. Server + Citrix Metaframe is also affected. Funny, a large multiuser system can be brought to its knees from userland. Windows NT 3.51 and Winframe 1.8 are not affected. Cutler, you sold out :0) Not that userland processes killing NT is a new problem. From: "Helder Correia" <helder.correiaat_private> yes, i get the same worm reboot when i "F7 - enter" on ping. if i'm not mistaken, F7 gives u your last ping and enter pings it again. so the reboot must be a DoS or flood to the net. so w2k reboots. u don't have to b connected to a net 4 this 2 work. i tried on the portuguese version, Windows 2000 Professional... From: Nathan <cornetat_private> Just tried this on a win2k prof SP2 box and nothing... From: "Eugene" <eugeneat_private> So far it is confirmed that any command that is network-related and takes over a second to execute, produces the desired results (warm reboot). Try "ipconfig", "tracert", etc Also vulnerable: Win NT 4 Server Enterprise Edition, SP6A English Win NT 4 Workstation, SP6A English Windows 2000 Advanced Server (no SP, SP1 and SP2) From: "Ross Thomas" <rossat_private> Confirmed to "work" with W2K Pro SP2 English. A reboot occurs with ping and tracert, but not with dir. Presumably some kind of weird command prompt/Winsock interaction. From: "Andrew Hatfield" <andrewat_private> Yes I can confirm this on Win2K Pro SP2 English (OEM) Installed via RIS Intel EEPro 10/100 Version 5.0.2195 From: "James Nelson" <xiat_private> This doesn't seem to work on Windows XP Professional, RC1. As far as what permissions are necessary---I was able to reproduce this on Windows 2000 SP2 using a test user who was only in the local Users group. If you close the command window by way of the X (or by double-clicking the control box), the reboot won't happen. It's apparently only when the history buffer has a chance to digest stuff. Also, command.com (with doskey loaded) does not seem to be affected by this, just cmd.exe. From: Jim Popovitch <jimpopat_private> I saw similar results (F7 +Enter...) however I noticed that my powersupply light on the front of my PC (ATX) went dark, yet the computer was still running. The screen was blank w/ a flashing cursor in the upper left corner, and the NIC lights were flashing viciously. From: Pyatro Buhalski <uucyceat_private> Successfully tested this on my nt4 sp6 workstation with ping, netstat, tracert and other long-working utils. STOP error (0xc000021a) occures after a huge delay (more than a minute) following pressing F7-enter several times. Surprisingly, it doesn't reboot if auto-reboot after STOP isn't specified (someone said it does on w2k). I also tried pressing F7-enter once while pinging and got some interesting result: after first ping nothing happens (just F7 menu flashes and the command appears in the prompt). But after second one (no matter, what you did between these commands), the cmd window just hangs up. No reboot or anything else. Any ideas? -- Elias Levy SecurityFocus.com http://www.securityfocus.com/ Si vis pacem, para bellum
This archive was generated by hypermail 2b30 : Sun Jul 29 2001 - 04:22:46 PDT