Re: w2k dos

From: Bronek Kozicki (brok@rubikon.pl)
Date: 07/29/01 

Message-ID: <000f01c1182f$26f75f00$c503a8c0@waw.getin.pl>
From: "Bronek Kozicki" <brok@rubikon.pl>
To: <bugtraq@securityfocus.com>
Subject: Re: w2k dos
Date: Sun, 29 Jul 2001 15:05:26 +0200

I tested 2 similar systems. Both are Win2K Pro Eng, installed SP2 and
identical hotfixes:
Q285156 Windows 2000 Event Viewer Contains an Unchecked Buffer"
Q285851 Patch Available for Network DDE Agent Request Vulnerability"
Q292003 SP2 Adds Updates to Several Windows 2000 Support Tools"
Q293826 Pattern-Matching Function Causes Access Violation on FTP Server"
Q296185 Patch Available for New Variant of "Malformed Hit-Highlighting"
Q298012 Security Bulletin MS01-041 : Malformed RPC Request Can Cause Service
Failure (no KB article yet)
Q299687 LDAP over SSL Could Enable Passwords to Be Changed
Q300972 Unchecked Buffer in ISAPI Extension Can Cause Server Compromise

I used simplest command I could find: sleep from Resource Kit.

One system (128MB RAM) did not show blue screen, but simple resterted. Other
system (512MB RAM) displayed BSOD and the resterted, however no memory.dmp
was created (and definitely, system was set to create full memory.dmp)

I used kernel debugger running on serial port to get more details from both.
Apparently there's unhandled exception in csrss.exe process space (it's
Win32 SubSystem - wise book says that a lot of Win32 job is actually done by
Executive). You may find more details in attached Windbg log files:
csrss_halt-1.txt was recorded when smaller system crashed (one with 128MB
RAM)
csrss_halt-2.txt was recorded when bigger system crashed (one with 512MB
RAM). In this file I allowed system to continue running after exception was
handled by system dubugger (command tcb), so at the end of file you will
find BSOD itself. It looks like: 

---
*** Fatal System Error: 0xc000021a
                       (0xE2682B68,0xC0000005,0x5FFB4484,0x00B5FA38)
STOP: c000021a {Fatal System Error}
The Windows SubSystem system process terminated unexpectedly
with a status of 0xc0000005 (0x5ffb4484 0x00b5fa38).
The system has been shut down.
---

Regards

B.Kozicki

PS. has anyone tested this problem with SMP system ?

Relevant Pages

  • Solving the Blue Screen Of Death
    ... my Windows XP Pro installation started to experience ... eventually tracked it down to a faulty RAM stick (which had been fine ... Blue Screens of Death. ... The BSOD stop errors would vary (a lot of articles assume you always ...
    (microsoft.public.windowsxp.help_and_support)
  • Solving the Blue Screen Of Death
    ... my Windows XP Pro installation started to experience ... before I eventually tracked it down to a faulty RAM stick (which had ... Blue Screens of Death. ... The BSOD stop errors would vary (a lot of articles assume you always ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Added RAM to Win XP Home Edition Need Advice
    ... No question the extra RAM has helped things a lot. ... There are no special settings you NEED to make to get Windows XP to accept ... You should at least turn on the built in firewall. ... I see that AntiVirus software is an absolute necessity given ...
    (microsoft.public.windowsxp.perform_maintain)
  • Re: ADT Pro With Windows 7 (64-Bit)
    ... I simply making the case that without Virtualization and without Windows XP ... extensions) into most server editions of windows, on the consumer editions ... The 4GB RAM is starting to come into play here. ... and maybe even video that was pulled from MANY corporate business information ...
    (comp.sys.apple2)
  • Re: Control Panels System Reporting Error
    ... When you click on System Monitor or Performance you should see a graph on the right hand pane, right click that pane and you should see Add ... How to manage System Monitor counters in Windows XP ... Doesn't it tell you in Task Manager how much RAM you have? ... I would think that adding RAM above 2GB would probably help with video ...
    (microsoft.public.windowsxp.basics)