[NTSEC] (It gets worse) NT vulnerable to DOS attack on more than

beckobtuse.com

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Riku Meskanen: "perl version of that tin opener (IOS decrypt.c)"
• Previous message: Philip Guenther: "Re: Screen tmp race temp fix"

>
> This is clearly the biggest bug yet. I can kill all of the services of
> MS Exchange Server, as well as INETINFO (MSX doesn't rely on INETINFO).
> So clearly this bad code has been used in numerous products.
>
> Cheers,
> Russ
> R.C. Consulting, Inc. - NT/Internet Security Consulting
> "Why does Plug-n-Play so often turn into Unplug-n-Pay?"

        Owch.. Yep.. looks like it's both dynamic (i.e. port 1031
isn't always the port it ends up on) and it's used in more than just
that.  The box I tried it on first was pretty stock.  I tried it on a
loaded up box (Exchange and Winframe 3.51) and there are *lots* of
ports that little perl script kills it on.  Good thing I have an
extremely anal-retentive packet filter in front of that one :-)

        So it looks like all you need to is use that perl script (or
modify Proff's strobe program to heave something at the port when it
connects) and lots of things hardloop.  Sorry kids, it's not another static
port, It's all over the place int MS's code. so it depends what you run
on your server.

        The released microsoft fix does *NOT* fix this. it ONLY fixes
the problem on port 135.

        -Bob

--
Bob Beck                                         Obtuse Systems Corporation
beckobtuse.com                                  http://www.obtuse.com/
True Evil hides its real intentions in its street address. Search and you
shall find it, and the truth shall set you free.

• Next message: Riku Meskanen: "perl version of that tin opener (IOS decrypt.c)"
• Previous message: Philip Guenther: "Re: Screen tmp race temp fix"