Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Date: Tue Feb 06 2001 - 13:33:50 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    From:Georgi Guninski
    Sent: Tuesday, February 06, 2001 5:56 AM
    Subject: Windows client UDP exhaustion denial of service

    Georgi Guninski security advisory #37, 2001

    Windows client UDP exhaustion denial of service

    Systems affected:
    Windows 2000 Prof, Windows 98 probably other Windowses

    Risk: Low
    Date: 6 February 2001

    Legal Notice:
    This Advisory is Copyright (c) 2001 Georgi Guninski. You may distribute it
    You may not modify it and distribute it or distribute parts of it without
    the author's
    written permission.

    The opinions expressed in this advisory and program are my own and not of
    any company.
    The usual standard disclaimer applies, especially the fact that Georgi
    is not liable for any damages caused by direct or indirect use of the
    or functionality provided by this advisory or program.
    Georgi Guninski bears no responsibility for content or misuse of this
    advisory or program or
    any derivatives thereof.

    It is possible a web page or email message to consume all the usable client
    UDP sockets on the
    computer running Windows. This leads to stopping client DNS resolution on
    Windows 2000 professional
    and stopping all new TCP connections on Windows 98. After closing the
    malicous application normal
    function of the system is restored though several machines spontaneously
    It is interesting to note that Linux is not affected to this vulnerability
    as far as I tested.

    This exploit uses java. The idea is quite simple - create as much UDP
    sockets (java.net.DatagramSocket)
    as possible. Other processes are prevented from creating new UDP sockets.
    The java code is:

    try { DatagramSocket d = new DatagramSocket();v.addElement(d);}
    catch (Exception e) {System.out.println("Exhausted, i="+i);}


    Vendor status:
    Microsoft was informed on 2 February 2001.

    Georgi Guninski
    You may visit Guninski Security Mailing List page at

    ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
    ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
    SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net