Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1998_3

Bugtraq archives for 3rd quarter (Jul-Sep) 1998: Re: Possible DoS attack to NT boxes running OpenNT 2.1

Re: Possible DoS attack to NT boxes running OpenNT 2.1

Jason Zions (jason_zionsINTERIX.COM)
Tue, 4 Aug 1998 17:24:08 -0700

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Aleph One: "L0pht Advisory: Lotus Note Vulnerability"
Previous message: Richard Johnson: "irix-6.2 "at -f" vulnerability"
Maybe in reply to: Nemo: "Possible DoS attack to NT boxes running OpenNT 2.1"
Next in thread: n3m0: "Re: Possible DoS attack to NT boxes running OpenNT 2.1"

Nemo <NemoIIASTURIES.ORG> (or possibly n3m0hotmail.com) said:
 ---
There's a possible Denial of Service attack to NT boxes running OpenNT 2.1
over a Telnet conecction (I could not test if any earlier version is
affected). Any NT machine running the telnet daemon included in OpenNT is
vulnerable to this attack.

This vulnerability is related with the fact that OpenNT Unix consoles allow
to run win32 applications (both GUI and text based) through the command
line. The same happens when a client connects to an OpenNT telnetd: the
client is allowed to launch and run win32 applications...
 ---

And then he proceeded to give an example of the DoS attack: telnetting to an
NT system, logging on, and running a Win32 GUI program which appeared to be
unkillable.

There's two things wrong with this. First, it's hardly a DoS attack when you
had to authenticate yourself to the system to make the attack. If an admin
saw several dozen instances of a Win32 app belonging to user Nemo, said
admin could simply call up Nemo and yell at him for sucking up memory.
There's no anonymous attack here; no username/password, no access.

Second, the Win32 GUI app is running just fine, in a non-displayed Windows
Station. It is consuming some resources, but mostly swap space; no CPU time,
once the app has started up and is waiting for user input. A user with
appropriate privileges (say, Administrator) should be able to use TKILL.EXE
or the Task Manager or any other appropriate utility to shoot the
non-visible GUI app. Certainly, Nemo could log back on via telnet and shoot
his own non-visible GUI app via tkill.

Yes, PSXSS.EXE is unkillable, even by the Administrator. So is CSRSS.EXE,
which serves the same purpose for Win32 as PSXSS.EXE does for OpenNT. Only
one instance of these protected-mode user space subsystem servers will ever
run, and "protected" means just that.

Jason Zions
Softway Systems Inc. (the OpenNT folks. 'cept it's now called Interix.)
http://www.interix.com

Next message: Aleph One: "L0pht Advisory: Lotus Note Vulnerability"
Previous message: Richard Johnson: "irix-6.2 "at -f" vulnerability"
Maybe in reply to: Nemo: "Possible DoS attack to NT boxes running OpenNT 2.1"
Next in thread: n3m0: "Re: Possible DoS attack to NT boxes running OpenNT 2.1"