Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: Peter Gründl (pgrundlkpmg.dk)
Date: Wed Apr 17 2002 - 04:30:54 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]


              -=>Windows 2000 microsoft-ds Denial of Service<=-
                          courtesy of KPMG Denmark

    BUG-ID: 2002011
    Released: 17th Apr 2002
    The default LANMAN registry settings on Windows 2000 could allow a
    malicious user, with access to TCP port 445 on your Windows 2000, to
    cause a Denial of Service.

    - Windows 2000 Server (SP0, SP1, SP2)
    - Windows 2000 Advanced Server (SP0, SP1, SP2)
    - Windows 2000 Professional (SP0, SP1, SP2)

    Sending malformed packets to the microsoft-ds port (TCP 445) can
    result in kernel ressources being allocated by the LANMAN service.
    The consequences of such an attack could vary from the Windows
    2000 host completely ignoring the attack to a blue screen.

    An attack could be something as simple as sending a continuous
    stream of 10k null chars to TCP port 445.

    The most common symptoms would be that the LANMAN service would
    allocate a lot of kernel memory, until a point, where very few
    applications would be able to run. The routine that draws windows
    would commence to draw incomplete windows, the warning "beep"
    would be replaced by an error stating that the sound driver could
    not be loaded. Internet Information Server would no longer be
    able to service .asp pages, attempts to reboot the server (as
    administrator) would result in the error "You do not have
    permissions to shutdown or restart this computer.", aso.

    It would frequently be possible to cause the system service
    to enter a state where it constantly used 100% CPU usage.
    A PC was left in this state over the weekend, to see if it
    would recover on it's own. It did not recover.

    Vendor URL:
    You can visit the vendors webpage here: http://www.microsoft.com

    Vendor response:
    The vendor was contacted mid-October, 2001. The vendor released a
    Q-article, describing the problem and possible solutions on the 11th
    of April, 2002. KPMG was notified of the publication on the 17th of
    April, 2002.

    Corrective action:
    The vendor has suggested two possible solutions, available here:

    Author: Peter Gründl (pgrundlkpmg.dk)

    KPMG is not responsible for the misuse of the information we provide
    through our security advisories. These advisories are a service to
    the professional security community. In no event shall KPMG be lia-
    ble for any consequences whatsoever arising out of or in connection
    with the use or spread of this information.