SECURITY.NNOV: stream3 Windows NT/2000 DoS (Q280446)

From: 3APA3A (3APA3Aat_private)
Date: Mon Jan 28 2002 - 03:14:24 PST

Next message: J_Bourdeauat_private: "Full path disclosure vulnerabilty in Sun's Web site"

Previous message: Falk Siemonsmeier: "Sapgui 4.6D for Windows"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dear,

Some  of  you  may  be interested in information about Microsoft Q280446
issue  (patch  included  into  SP2). Just to throw the light on it we've
decided    to    publish    information   because Microsoft declared the
deadline for official Windows NT 4.0 support.

Topic:                    Windows NT/2000 DoS via stream3 flood attack
Authors:                  Dark Zorro <darkzat_private>,
                          Error <errorat_private>
Date:                     2 December 2000 (yes... it's old)
Vendor Informed:          2 December 2000
Software affected:        Microsoft Windows NT 4.0, Windows 2000
Risk:                     Low/Average
Remote:                   Yes
Exploitable:              Yes
SECURITY.NNOV advisories: http://www.security.nnov.ru/advisories

Description:

Stream  3 is flood attack of absolutely identical empty TCP packets with
ACK  and  FIN  flags.  Dark  Zoro and Error discovered unpatched Windows
leaks  the  memory  from  non-paged  kernel space during stream 3 attack
against  NetBIOS  (TCP/139)  port. This memory never released back after
attack.  Since  this attack doesn't require TCP connection it may bypass
purely  configured  packet  filters.  Effectivity  of  attack depends on
amount  of  RAM  installed  in  target  host,  routing  schema  and link
bandwidth between source and target (xDSL/10BaseT is ideal). Results may
vary from missing 2-3 Mb of non-paged memory to blue screen.

I've  got few unverified reports of successful usage of stream 3 against
different ports and different systems.

Vendor:

Microsoft was contacted on December, 2 2000. On December, 15 private fix
Q280446  for  Windows  2000  was released. It was made public few months
later and was included into Service Pack 2.

Microsoft failed to reproduce and fix problem under Windows NT 4.0

Solution/Fix:

For  Windows  2000  apply  SP2.  Make  sure  you  filter  all traffic to
privileged ports

Exploitation:

Try  stream3.c  it  should  be more faster and compatible. stream3o.c is
variant of old stream.c. It compiles and works under i386 FreeBSD.


-- 
http://www.security.nnov.ru
         /\_/\
        { , . }     |\
+--oQQo->{ ^ }<-----+ \
|  ZARAZA  U  3APA3A   }
+-------------o66o--+ /
                    |/
You know my name - look up my number (The Beatles)

application/octet-stream attachment: stream3o.c

application/octet-stream attachment: stream3.c

Next message: J_Bourdeauat_private: "Full path disclosure vulnerabilty in Sun's Web site"
Previous message: Falk Siemonsmeier: "Sapgui 4.6D for Windows"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jan 28 2002 - 11:45:18 PST