|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Vulnerability Report For Microsoft Windows NT 4.0 MSTask.exe code error
From: Steve Manzuik (smanzuik
RAZOR.BINDVIEW.COM)Date: Thu Dec 14 2000 - 08:54:06 CST
- Next message: Microsoft Product Security: "Microsoft Security Bulletin MS00-097"
- Previous message: Steve: "Vulnerability Report For Microsoft Windows NT 4.0 MSTask.exe code error"
- In reply to: Steve: "Vulnerability Report For Microsoft Windows NT 4.0 MSTask.exe code error"
- Reply: Steve Manzuik: "Re: Vulnerability Report For Microsoft Windows NT 4.0 MSTask.exe code error"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I forwarded this "advisory" without fully reading it. Normally, I keep my
mouth shut and don't comment on advisories at all if I can help it. But I
do have a few comments on this one.
>Vulnerability Description:
>
> MSTask.exe is an application that ships with the Windows NT 4.0
> A strange behavior was discovered in the MSTask.exe code.
> If exploited, this vulnerability allows and attacker to slow down
> vulnerable Windows NT and sometimes to freeze it.
Slow down a system? I can think of a million and one other ways to also
slow down a Windows system without the use of MTask.
>MSTask.exe, however, only permits connections via the localhost, or
>127.0.0.1, so on most systems such an attack would have to originate from
>someone at the console (or connected via Terminal Server).
So why would I, sitting in front of my NT workstation want to DoS myself?
If I was to gain physical access to a workstation, why would I want to DoS
it when there are tons of other things I could do to it. Tons of more
interesting and fun things.
>However, if WinGate or Winproxy installed on the system, system becames
>vulnerable for remote attackers, because they can connect to system's 1026
>tcp
>port via wingate or winproxy, and connection will be accepted.
One of the principals of security and securing systems, if the service is
not required don't run it and do not allow connections to that port. IF
(please see my test results below) this is truly the case and there is a
remote DoS possible, then I would consider this an issue.
>To reproduce the problem, use Winnt 4.0 Workstation.
>Do the following:
>
>1. Start telnet.exe
>2. Menu->Connect->Remote System=127.0.0.1 , Port=1026
>3. Press 'Connect' button
>4. When it is connects, type some random characters and press enter.
>5. Close telnet.exe.
I played with this a little this morning. It would be interesting to know
what service pack/hot fix level was tested as I am unable to replicate it at
SP6a.
_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
- Next message: Microsoft Product Security: "Microsoft Security Bulletin MS00-097"
- Previous message: Steve: "Vulnerability Report For Microsoft Windows NT 4.0 MSTask.exe code error"
- In reply to: Steve: "Vulnerability Report For Microsoft Windows NT 4.0 MSTask.exe code error"
- Reply: Steve Manzuik: "Re: Vulnerability Report For Microsoft Windows NT 4.0 MSTask.exe code error"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]