The advisory is regarding a DoS.....

Using other exploits, such as unicode etc, an attacker could upload this
tool to a machine and run it thus forcing the owner of the site to rebuild
the box from scratch or restore from a backup.

Therefore the advisory is valid. Using another exploit to delete needed
NT4 boot files would have a similar effect except those files can replaced
using a DOS / NTFS boot disk depending on the setup. A corrupt SAM is
normally unfixable...

----- Original Message -----
From: "Ken Pfeil" <KenINFOSEC101.ORG>
To: <win2ksecadviceLISTSERV.NTSECURITY.NET>
Sent: 03 August 2001 16:18
Subject: Re: A damaging local DoS in WinNT SP6a

> hehe..
> Running a cracking tool can do damage to your system. Did you REALLY
expect
> MS to take this seriously? Thanks for the chuckle. Another solution would
be
> to not run cracking code on your system in the first place.
>
> > -----Original Message-----
> > From: Steve [mailto:steveSECURESOLUTIONS.ORG]
> > Sent: Friday, August 03, 2001 11:04 AM
> > To: win2ksecadviceLISTSERV.NTSECURITY.NET
> > Subject: A damaging local DoS in WinNT SP6a
> >
> >
> > The attached advisory can also be found at:
> > http://hypoclear.cjb.net/hypo_nt_dos.txt
> >
> > ---
> >
> > [[:hypoclear security advisory:]]
> >
> >
> > Vendor : Microsoft | http://www.microsoft.com
> > Product : Windows NT SP6a (and lower?)
> > Category : Local DoS
> > Date : 08-03-01
> >
> >
> > CONTENTS
> > 1. Overview
> > 2. Details
> > 3. Exploit
> > 4. Possible Solution
> > 5. Vendor Response
> > 6. Credits
> > 7. Contact
> > 8. Disclaimer
> >
> >
> > 1. Overview:
> >
> > WindowsNT SP6a is subject to a local Denial of Service (DoS) attack,
> > upon running "NT4ALL". This particular vulnerability has the potential
> > to permanently damage the workstation/server, because no users are able
> > to "log on" to the computer after NT4ALL is run.
> >
> >
> >
> > 2. Details:
> >
> > NT4ALL is a program written by 9 (nine1001yahoo.com) and was originaly
> > an exploit against WindowsNT SP4. It's goal is to "Let all the users
> > logon into the NT machine with any password they type from the local NT
> > machine or from other computers in the same domain." It has been
> > available publically for a few years.
> >
> > When running NT4ALL the user (with write access to /winnt/system32) can
> > either put the computer, into NT4ALL's "SPECIAL" or "NORMAL" mode.
> > Putting a WindowsNT machine running SP6a into SPECIAL mode and
> > rebooting, causes the machine to not allow anyone (including
> > Adminisrators)
> > access to the computer.
> >
> > No login's are allowed because the NT system service "lsass.exe" crashes
> > everytime the machine is rebooted and the login window pops-up.
> >
> > After attempting to repair the computer with the WindowsNT cd-rom the
> > machine would allow logins, however the machine ran EXTREMELY slow. All
> > available CPU ticks were being consumed by "SERVICES.EXE" and
> > "lsass.exe".
> >
> > NOTE: ***If testing this vulnerability it is highly recommended that you
> > backup all your data or test on an unused machine. In all my tests
> > after running NT4ALL the computer will be virtually
> > useless!***
> >
> > This vulnerability has the potential to be very harmful, because NT4ALL
> > can run quite invisibly, and if the payload is attached to a
> > self-replicating email (like many macro virus's), it could render a mass
> > of workstations useless.
> >
> > Here are links to download NT4ALL from Packet Storm Security: Newer
> > version of NT4ALL: http://packetstormsecurity.org/NT/hack/nt4all-101.zip
> >
> > Original version of NT4ALL:
> > http://packetstormsecurity.org/NT/hack/nt4all.zip
> >
> > (All tests were done with the original version of NT4ALL)
> >
> >
> >
> > 3. Exploit
> >
> > Run NT4ALL once (should put the machine in SPECIAL mode).
> > Note: You can run NT4ALL with the /t option to verify that SPECIAL mode
> > is on. Reboot. The computer will no longer allow ANYONE (including
> > administrators) to log in. The problem does not seem to be reversed no
> > matter how many reboots are attempted.
> >
> > If attempting to repair the OS with the Windows NT cdrom, the computer
> > will allow for logins, but run VERY slow. (All CPU ticks are taken by
> > SERVICES.EXE and lsass.exe).
> >
> >
> >
> > 4. Possible Solution
> >
> > Disable write access to the winnt/system32/ directory for all users
> > except the Adminsitrator, until a vendor solution is provided.
> >
> >
> >
> > 5. Vendor Response
> >
> > 07-19-01: Problem sent to the Microsoft Security Response Center (MSRC),
> > securitymicrosoft.com
> > They respond to the problem within a few hours.
> >
> > 07-23-01: After a few days of communication with MSRC they suggest I
> > sent the problem to Microsoft
> > Product Support Services (MPSS) because it is more of a
> > stability issue.
> > I sent the issue to MPSS via the URL
> > http://support.microsoft.com/directory/feedback/entry.asp,
> > as suggested by MSRC.
> >
> > 07-30-01: After no response from MPSS I resend the problem and state
> > that I planed to release an advisory
> > on the problem within the next few days.
> >
> > 08-03-01: No response has been recieved from MPSS, so this advisory is
> > being released.
> >
> > An attempt has also been made to contact 9 about the NT4ALL program,
> > after my original discovery, but he (she?) did not respond.
> >
> >
> >
> >
> > 6. Credits
> >
> > Actual credit here goes to 9, because he (she?) wrote the NT4ALL
> > program. All I did was be stupid enough to run it and screw up one of my
> > systems ;-)
> >
> >
> >
> > 7. Contact
> >
> > Advisory written by hypoclear.
> > email : hypoclearjungle.net
> > home page : http://hypoclear.cjb.net
> >
> >
> >
> > 8. Disclaimer
> >
> > This advisory remains the property of hypoclear.
> > This advisory can be freely distributed in any form.
> > If this advisory is distributed it must remain in its entirety.
> > Hypoclear is not responsible of any use/misuse of this advisory.
> >
> > This and all of hypoclear's releases fall under his disclaimer, which
> > can be found at: http://hypoclear.cjb.net/hypodisclaim.txt
> >
> > _____________________________________________________________________
> > ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
> > ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
> > SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
>
> _____________________________________________________________________
> ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
> ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
> SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
>

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]