The 'advisory' is bogus.

If an attacker has gained admin-level access to your machine, you have to
flatten it. Period. Given the same conditions, the attacker could have
installed 57 different backdoors and rootkits. Given admin-level access, I
could just open the raw disk and start changing random bytes. I could do all
sorts of horrible things, probably even screw up the BIOS. The mind boggles
at the possibilities, to quote Sylvester the Cat.

Once the attacker gains admin-level access, it is game over.

> -----Original Message-----
> From: Jopasc [mailto:JopascBARRYSWORLD.COM]
> Sent: Friday, August 03, 2001 10:26 AM
> To: win2ksecadviceLISTSERV.NTSECURITY.NET
> Subject: Re: A damaging local DoS in WinNT SP6a
>
>
> The advisory is regarding a DoS.....
>
> Using other exploits, such as unicode etc, an attacker could
> upload this
> tool to a machine and run it thus forcing the owner of the
> site to rebuild
> the box from scratch or restore from a backup.
>
> Therefore the advisory is valid. Using another exploit to
> delete needed
> NT4 boot files would have a similar effect except those files
> can replaced
> using a DOS / NTFS boot disk depending on the setup. A corrupt SAM is
> normally unfixable...
>
> ----- Original Message -----
> From: "Ken Pfeil" <KenINFOSEC101.ORG>
> To: <win2ksecadviceLISTSERV.NTSECURITY.NET>
> Sent: 03 August 2001 16:18
> Subject: Re: A damaging local DoS in WinNT SP6a
>
>
> > hehe..
> > Running a cracking tool can do damage to your system. Did you REALLY
> expect
> > MS to take this seriously? Thanks for the chuckle. Another
> solution would
> be
> > to not run cracking code on your system in the first place.
> >
> > > -----Original Message-----
> > > From: Steve [mailto:steveSECURESOLUTIONS.ORG]
> > > Sent: Friday, August 03, 2001 11:04 AM
> > > To: win2ksecadviceLISTSERV.NTSECURITY.NET
> > > Subject: A damaging local DoS in WinNT SP6a
> > >
> > >
> > > The attached advisory can also be found at:
> > > http://hypoclear.cjb.net/hypo_nt_dos.txt
> > >
> > > ---
> > >
> > > [[:hypoclear security advisory:]]
> > >
> > >
> > > Vendor : Microsoft | http://www.microsoft.com
> > > Product : Windows NT SP6a (and lower?)
> > > Category : Local DoS
> > > Date : 08-03-01
> > >
> > >
> > > CONTENTS
> > > 1. Overview
> > > 2. Details
> > > 3. Exploit
> > > 4. Possible Solution
> > > 5. Vendor Response
> > > 6. Credits
> > > 7. Contact
> > > 8. Disclaimer
> > >
> > >
> > > 1. Overview:
> > >
> > > WindowsNT SP6a is subject to a local Denial of Service
> (DoS) attack,
> > > upon running "NT4ALL". This particular vulnerability has
> the potential
> > > to permanently damage the workstation/server, because no
> users are able
> > > to "log on" to the computer after NT4ALL is run.
> > >
> > >
> > >
> > > 2. Details:
> > >
> > > NT4ALL is a program written by 9 (nine1001yahoo.com) and
> was originaly
> > > an exploit against WindowsNT SP4. It's goal is to "Let
> all the users
> > > logon into the NT machine with any password they type
> from the local NT
> > > machine or from other computers in the same domain." It has been
> > > available publically for a few years.
> > >
> > > When running NT4ALL the user (with write access to
> /winnt/system32) can
> > > either put the computer, into NT4ALL's "SPECIAL" or "NORMAL" mode.
> > > Putting a WindowsNT machine running SP6a into SPECIAL mode and
> > > rebooting, causes the machine to not allow anyone (including
> > > Adminisrators)
> > > access to the computer.
> > >
> > > No login's are allowed because the NT system service
> "lsass.exe" crashes
> > > everytime the machine is rebooted and the login window pops-up.
> > >
> > > After attempting to repair the computer with the
> WindowsNT cd-rom the
> > > machine would allow logins, however the machine ran
> EXTREMELY slow. All
> > > available CPU ticks were being consumed by "SERVICES.EXE" and
> > > "lsass.exe".
> > >
> > > NOTE: ***If testing this vulnerability it is highly
> recommended that you
> > > backup all your data or test on an unused machine. In
> all my tests
> > > after running NT4ALL the computer will be virtually
> > > useless!***
> > >
> > > This vulnerability has the potential to be very harmful,
> because NT4ALL
> > > can run quite invisibly, and if the payload is attached to a
> > > self-replicating email (like many macro virus's), it
> could render a mass
> > > of workstations useless.
> > >
> > > Here are links to download NT4ALL from Packet Storm
> Security: Newer
> > > version of NT4ALL:
> http://packetstormsecurity.org/NT/hack/nt4all-101.zip
> > >
> > > Original version of NT4ALL:
> > > http://packetstormsecurity.org/NT/hack/nt4all.zip
> > >
> > > (All tests were done with the original version of NT4ALL)
> > >
> > >
> > >
> > > 3. Exploit
> > >
> > > Run NT4ALL once (should put the machine in SPECIAL mode).
> > > Note: You can run NT4ALL with the /t option to verify
> that SPECIAL mode
> > > is on. Reboot. The computer will no longer allow ANYONE (including
> > > administrators) to log in. The problem does not seem to
> be reversed no
> > > matter how many reboots are attempted.
> > >
> > > If attempting to repair the OS with the Windows NT cdrom,
> the computer
> > > will allow for logins, but run VERY slow. (All CPU ticks
> are taken by
> > > SERVICES.EXE and lsass.exe).
> > >
> > >
> > >
> > > 4. Possible Solution
> > >
> > > Disable write access to the winnt/system32/ directory for
> all users
> > > except the Adminsitrator, until a vendor solution is provided.
> > >
> > >
> > >
> > > 5. Vendor Response
> > >
> > > 07-19-01: Problem sent to the Microsoft Security Response
> Center (MSRC),
> > > securitymicrosoft.com
> > > They respond to the problem within a few hours.
> > >
> > > 07-23-01: After a few days of communication with MSRC
> they suggest I
> > > sent the problem to Microsoft
> > > Product Support Services (MPSS) because it is more of a
> > > stability issue.
> > > I sent the issue to MPSS via the URL
> > > http://support.microsoft.com/directory/feedback/entry.asp,
> > > as suggested by MSRC.
> > >
> > > 07-30-01: After no response from MPSS I resend the
> problem and state
> > > that I planed to release an advisory
> > > on the problem within the next few days.
> > >
> > > 08-03-01: No response has been recieved from MPSS, so
> this advisory is
> > > being released.
> > >
> > > An attempt has also been made to contact 9 about the
> NT4ALL program,
> > > after my original discovery, but he (she?) did not respond.
> > >
> > >
> > >
> > >
> > > 6. Credits
> > >
> > > Actual credit here goes to 9, because he (she?) wrote the NT4ALL
> > > program. All I did was be stupid enough to run it and
> screw up one of my
> > > systems ;-)
> > >
> > >
> > >
> > > 7. Contact
> > >
> > > Advisory written by hypoclear.
> > > email : hypoclearjungle.net
> > > home page : http://hypoclear.cjb.net
> > >
> > >
> > >
> > > 8. Disclaimer
> > >
> > > This advisory remains the property of hypoclear.
> > > This advisory can be freely distributed in any form.
> > > If this advisory is distributed it must remain in its entirety.
> > > Hypoclear is not responsible of any use/misuse of this advisory.
> > >
> > > This and all of hypoclear's releases fall under his
> disclaimer, which
> > > can be found at: http://hypoclear.cjb.net/hypodisclaim.txt
> > >
> > >
> _____________________________________________________________________
> > > ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
> > > ** FOR A WEEKLY DIGEST, send the command "SET
> win2ksecadvice DIGEST"
> > > SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
> >
> >
> _____________________________________________________________________
> > ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
> > ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
> > SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
> >
>
> _____________________________________________________________________
> ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
> ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
> SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]