[NT] Windows 2000 microsoft-ds Denial of Service
From: support@securiteam.comDate: 04/17/02
- Previous message: support@securiteam.com: "[NT] AIM's 'Direct Connection' Feature Could Lead to Arbitrary File Creation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Wed, 17 Apr 2002 12:16:56 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Windows 2000 microsoft-ds Denial of Service
------------------------------------------------------------------------
SUMMARY
The default LANMAN registry settings on Windows 2000 could allow a
malicious user, with access to TCP port 445 on your Windows 2000, to cause
a Denial of Service.
DETAILS
Vulnerable systems:
- Windows 2000 Server (SP0, SP1, SP2)
- Windows 2000 Advanced Server (SP0, SP1, SP2)
- Windows 2000 Professional (SP0, SP1, SP2)
Sending malformed packets to the microsoft-ds port (TCP 445) can result in
kernel resources being allocated by the LANMAN service. The consequences
of such an attack could vary from the Windows 2000 host completely
ignoring the attack to a blue screen.
An attack could be something as simple as sending a continuous stream of
10k NULL chars to TCP port 445.
The most common symptoms would be that the LANMAN service would allocate a
lot of kernel memory, until a point, where very few applications would be
able to run. The routine that draws windows would commence to draw
incomplete windows, a warning "beep" would be replaced by an error stating
that the sound driver could not be loaded. Internet Information Server
would no longer be able to service .ASP pages, attempts to reboot the
server (as administrator) would result in the error "You do not have
permissions to shutdown or restart this computer".
It would frequently be possible to cause the system service to enter a
state where it constantly uses 100% of its CPU time. A PC was left in this
state over the weekend, to see if it would recover on its own. It did not
recover.
Vendor response:
The vendor was contacted mid-October, 2001. The vendor released a
Q-article, describing the problem and possible solutions on the 11th of
April, 2002. KPMG was notified of the publication on the 17th of April,
2002.
Corrective action:
The vendor has suggested two possible solutions, available here:
<http://support.microsoft.com/default.aspx?scid=kb;en-us;Q320751>
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q320751
ADDITIONAL INFORMATION
The information has been provided by <mailto:pgrundl@kpmg.dk> Peter
Gründl.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] AIM's 'Direct Connection' Feature Could Lead to Arbitrary File Creation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
