SECURITY.NNOV: stream3 Windows NT/2000 DoS (Q280446)

From: 3APA3A (3APA3A@SECURITY.NNOV.RU)
Date: 01/28/02 

Date: Mon, 28 Jan 2002 14:14:24 +0300
From: 3APA3A <3APA3A@SECURITY.NNOV.RU>
To: BUGTRAQ@securityfocus.com

Dear,

Some of you may be interested in information about Microsoft Q280446
issue (patch included into SP2). Just to throw the light on it we've
decided to publish information because Microsoft declared the
deadline for official Windows NT 4.0 support.

Topic: Windows NT/2000 DoS via stream3 flood attack
Authors: Dark Zorro <darkz@pisem.net>,
                          Error <error@pochtamt.ru>
Date: 2 December 2000 (yes... it's old)
Vendor Informed: 2 December 2000
Software affected: Microsoft Windows NT 4.0, Windows 2000
Risk: Low/Average
Remote: Yes
Exploitable: Yes
SECURITY.NNOV advisories: http://www.security.nnov.ru/advisories

Description:

Stream 3 is flood attack of absolutely identical empty TCP packets with
ACK and FIN flags. Dark Zoro and Error discovered unpatched Windows
leaks the memory from non-paged kernel space during stream 3 attack
against NetBIOS (TCP/139) port. This memory never released back after
attack. Since this attack doesn't require TCP connection it may bypass
purely configured packet filters. Effectivity of attack depends on
amount of RAM installed in target host, routing schema and link
bandwidth between source and target (xDSL/10BaseT is ideal). Results may
vary from missing 2-3 Mb of non-paged memory to blue screen.

I've got few unverified reports of successful usage of stream 3 against
different ports and different systems.

Vendor:

Microsoft was contacted on December, 2 2000. On December, 15 private fix
Q280446 for Windows 2000 was released. It was made public few months
later and was included into Service Pack 2.

Microsoft failed to reproduce and fix problem under Windows NT 4.0

Solution/Fix:

For Windows 2000 apply SP2. Make sure you filter all traffic to
privileged ports

Exploitation:

Try stream3.c it should be more faster and compatible. stream3o.c is
variant of old stream.c. It compiles and works under i386 FreeBSD. 

-- 
http://www.security.nnov.ru
         /\_/\
        { , . }     |\
+--oQQo->{ ^ }<-----+ \
|  ZARAZA  U  3APA3A   }
+-------------o66o--+ /
                    |/
You know my name - look up my number (The Beatles)

Relevant Pages

  • Re: Have PopUps gotten smarter?
    ... The one built into SP2 works fairly well. ... Tip for antivirus. ... Microsoft has these suggestions for Protecting your computer from the ... I'll mainly work around Windows XP, as that is what the bulk of this ...
    (microsoft.public.windowsxp.security_admin)
  • Re: The TCP... settings block my port scanners(kazaa,warez,etc)
    ... Microsoft offers free tech support for virus ... ICF / Windows firewall installed by XP SP2... ... i thought that the installation was ...
    (microsoft.public.security)
  • Re: ***** sp2 bREAKS eVERYTHING!!!!! *****
    ... My reply had nothing to do with the hardware newsgroup. ... a much bigger view of what happened when SP2 hit the street. ... >a patch or something similar to allow Windows to run it. ... Microsoft provides the proper tools to these vendors. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: ***** sp2 bREAKS eVERYTHING!!!!! *****
    ... My reply had nothing to do with the hardware newsgroup. ... a much bigger view of what happened when SP2 hit the street. ... >a patch or something similar to allow Windows to run it. ... Microsoft provides the proper tools to these vendors. ...
    (microsoft.public.windowsxp.hardware)
  • Re: ***** sp2 bREAKS eVERYTHING!!!!! *****
    ... My reply had nothing to do with the hardware newsgroup. ... a much bigger view of what happened when SP2 hit the street. ... >a patch or something similar to allow Windows to run it. ... Microsoft provides the proper tools to these vendors. ...
    (microsoft.public.windowsxp.general)