Re: (GDI+) detection tool don't run without admin prevs.

From: Troy (th_at_ZENO.COM)
Date: 09/17/04

Next message: Security: "Re: SUS server unable to synchronize with Microsoft servers"

Previous message: shmooconannounce: "Shmoocon CFP & registration information"
In reply to: Göran Sedvall: "(GDI+) detection tool don't run without admin prevs."
Next in thread: Louis Solomon [SteelBytes]: "Re: Alert: Microsoft Security Bulletin MS04-028 - Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Thu, 16 Sep 2004 22:06:02 -0700
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Göran Sedvall wrote:

>This morning I got many calls from users who are complaining that they can't
>logon
>because the computer hang. All users who didn't have admin previleges
>couldn't logon. They got a
>message from a popup windows saying:
>
>"Microsoft GDI+ Detection Tool.
>You do not have administrator previleges on this machine. This installation
>cannot be compleated
>correctly unless it is run by an administrator. [OK]"
>
>And then nothing else than a blue background without any icons nor start
>menu.
>
>
If you think that's bad, you should have seen what happened to one of
our servers when auto update installed and ran the GDI + Detection Tool.
Network traffic seemed sluggish. A little investigation showed packet
after packet being transferred between two of our servers. We looked at
the servers, and one of them had a fairly high CPU usage. We narrowed
the usage and network traffic down to the GDI+ Detection Tool. Shortly
after this (which had been a few hours by the time we figured out what
was going on), the detection tool finally finished.

I'm still not 100% sure what happened, but I think it was caused by DFS.
Server A had some DFS links to shares on server B. My best guess would
be that the detection tool thought the namespaces were directories on
the local machine, so it started scanning. There were dozens of GBs
worth of data to be scanned, and it wound up bogging down our entire
network.

--
Troy Hoffman
-----
NTBugtraq Editor's Note:
Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
-----

Next message: Security: "Re: SUS server unable to synchronize with Microsoft servers"

Previous message: shmooconannounce: "Shmoocon CFP & registration information"
In reply to: Göran Sedvall: "(GDI+) detection tool don't run without admin prevs."
Next in thread: Louis Solomon [SteelBytes]: "Re: Alert: Microsoft Security Bulletin MS04-028 - Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]