OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Vulnerability Report For Microsoft Windows NT 4.0 MSTask.exe code error
From: Steve (steveSECURESOLUTIONS.ORG)
Date: Wed Dec 13 2000 - 21:52:03 CST


From: Ilia Sprite
Subject: Vulnerability Report For Microsoft Windows NT 4.0 MSTask.exe
code error

      Vulnerability Report For Microsoft Windows NT 4.0 MSTask.exe code
error

Class: Unknown error

Remotely Exploitable: Yes

Locally Exploitable: Yes

Risk: Medium

Vendor status: Microsoft was notified on 7 December

Vulnerability Description:

 MSTask.exe is an application that ships with the Windows NT 4.0
 A strange behavior was discovered in the MSTask.exe code.
 If exploited, this vulnerability allows and attacker to slow down
 vulnerable Windows NT and sometimes to freeze it.

Vulnerable Packages/Systems:
  Microsoft Windows NT 4.0 Workstation
  other systems was not tested.

Solution/Vendor Information/Workaround:

  No solution I have found yet.

Technical Description - Exploit/Concept Code:

Technical Description - Exploit/Concept Code:

It appears to me, from testing I have done, that MSTask.exe, usually
listening on TCP 1026 (or some high port) will cause memory to be consumed
if it is connected to and some random characters are sent to it. After such
a connection, eventually the machine will freeze. The only solution appears
to be a reboot.

MSTask.exe, however, only permits connections via the localhost, or
127.0.0.1, so on most systems such an attack would have to originate from
someone at the console (or connected via Terminal Server).

However, if WinGate or Winproxy installed on the system, system becames
vulnerable for remote attackers, because they can connect to system's 1026
tcp
port via wingate or winproxy, and connection will be accepted.

To reproduce the problem, use Winnt 4.0 Workstation.
Do the following:

1. Start telnet.exe
2. Menu->Connect->Remote System=127.0.0.1 , Port=1026
3. Press 'Connect' button
4. When it is connects, type some random characters and press enter.
5. Close telnet.exe.

Now you can see in taskmanager, that CPU usage is near 100% because of
MSTask.exe.
Sometimes (not always) system halts, sometimes MStask.exe listens on 1027
port or higher.
I have tried to do this not only at my computer - it's always works.
Windows 95/98 not vulnerable, because they has no MSTask.exe :-)
Windows 2000 Enterprise Server has MSTask.exe and listens at 1026 port, but
I dont check it.

Any updates for this information available at
http://www.eng.securityelf.net/exploit.mstask.php4 .

...........................................................................
"Security/Elf.Net" Project - http://www.securityelf.net

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net