hehe..
Running a cracking tool can do damage to your system. Did you REALLY expect
MS to take this seriously? Thanks for the chuckle. Another solution would be
to not run cracking code on your system in the first place.

> -----Original Message-----
> From: Steve [mailto:steveSECURESOLUTIONS.ORG]
> Sent: Friday, August 03, 2001 11:04 AM
> To: win2ksecadviceLISTSERV.NTSECURITY.NET
> Subject: A damaging local DoS in WinNT SP6a
>
>
> The attached advisory can also be found at:
> http://hypoclear.cjb.net/hypo_nt_dos.txt
>
> ---
>
> [[:hypoclear security advisory:]]
>
>
> Vendor : Microsoft | http://www.microsoft.com
> Product : Windows NT SP6a (and lower?)
> Category : Local DoS
> Date : 08-03-01
>
>
> CONTENTS
> 1. Overview
> 2. Details
> 3. Exploit
> 4. Possible Solution
> 5. Vendor Response
> 6. Credits
> 7. Contact
> 8. Disclaimer
>
>
> 1. Overview:
>
> WindowsNT SP6a is subject to a local Denial of Service (DoS) attack,
> upon running "NT4ALL". This particular vulnerability has the potential
> to permanently damage the workstation/server, because no users are able
> to "log on" to the computer after NT4ALL is run.
>
>
>
> 2. Details:
>
> NT4ALL is a program written by 9 (nine1001yahoo.com) and was originaly
> an exploit against WindowsNT SP4. It's goal is to "Let all the users
> logon into the NT machine with any password they type from the local NT
> machine or from other computers in the same domain." It has been
> available publically for a few years.
>
> When running NT4ALL the user (with write access to /winnt/system32) can
> either put the computer, into NT4ALL's "SPECIAL" or "NORMAL" mode.
> Putting a WindowsNT machine running SP6a into SPECIAL mode and
> rebooting, causes the machine to not allow anyone (including
> Adminisrators)
> access to the computer.
>
> No login's are allowed because the NT system service "lsass.exe" crashes
> everytime the machine is rebooted and the login window pops-up.
>
> After attempting to repair the computer with the WindowsNT cd-rom the
> machine would allow logins, however the machine ran EXTREMELY slow. All
> available CPU ticks were being consumed by "SERVICES.EXE" and
> "lsass.exe".
>
> NOTE: ***If testing this vulnerability it is highly recommended that you
> backup all your data or test on an unused machine. In all my tests
> after running NT4ALL the computer will be virtually
> useless!***
>
> This vulnerability has the potential to be very harmful, because NT4ALL
> can run quite invisibly, and if the payload is attached to a
> self-replicating email (like many macro virus's), it could render a mass
> of workstations useless.
>
> Here are links to download NT4ALL from Packet Storm Security: Newer
> version of NT4ALL: http://packetstormsecurity.org/NT/hack/nt4all-101.zip
>
> Original version of NT4ALL:
> http://packetstormsecurity.org/NT/hack/nt4all.zip
>
> (All tests were done with the original version of NT4ALL)
>
>
>
> 3. Exploit
>
> Run NT4ALL once (should put the machine in SPECIAL mode).
> Note: You can run NT4ALL with the /t option to verify that SPECIAL mode
> is on. Reboot. The computer will no longer allow ANYONE (including
> administrators) to log in. The problem does not seem to be reversed no
> matter how many reboots are attempted.
>
> If attempting to repair the OS with the Windows NT cdrom, the computer
> will allow for logins, but run VERY slow. (All CPU ticks are taken by
> SERVICES.EXE and lsass.exe).
>
>
>
> 4. Possible Solution
>
> Disable write access to the winnt/system32/ directory for all users
> except the Adminsitrator, until a vendor solution is provided.
>
>
>
> 5. Vendor Response
>
> 07-19-01: Problem sent to the Microsoft Security Response Center (MSRC),
> securitymicrosoft.com
> They respond to the problem within a few hours.
>
> 07-23-01: After a few days of communication with MSRC they suggest I
> sent the problem to Microsoft
> Product Support Services (MPSS) because it is more of a
> stability issue.
> I sent the issue to MPSS via the URL
> http://support.microsoft.com/directory/feedback/entry.asp,
> as suggested by MSRC.
>
> 07-30-01: After no response from MPSS I resend the problem and state
> that I planed to release an advisory
> on the problem within the next few days.
>
> 08-03-01: No response has been recieved from MPSS, so this advisory is
> being released.
>
> An attempt has also been made to contact 9 about the NT4ALL program,
> after my original discovery, but he (she?) did not respond.
>
>
>
>
> 6. Credits
>
> Actual credit here goes to 9, because he (she?) wrote the NT4ALL
> program. All I did was be stupid enough to run it and screw up one of my
> systems ;-)
>
>
>
> 7. Contact
>
> Advisory written by hypoclear.
> email : hypoclearjungle.net
> home page : http://hypoclear.cjb.net
>
>
>
> 8. Disclaimer
>
> This advisory remains the property of hypoclear.
> This advisory can be freely distributed in any form.
> If this advisory is distributed it must remain in its entirety.
> Hypoclear is not responsible of any use/misuse of this advisory.
>
> This and all of hypoclear's releases fall under his disclaimer, which
> can be found at: http://hypoclear.cjb.net/hypodisclaim.txt
>
> _____________________________________________________________________
> ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
> ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
> SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]