[3958] in bugtraq
Re: [NTSEC] CPU Usage, Known NT 4.0 Security bugs
daemon@ATHENA.MIT.EDU (Russ)
Sat Jan 25 14:49:05 1997
Date: Sat, 25 Jan 1997 12:07:51 -0600
Reply-To: Russ <Russ.Cooper@RC.on.ca>
From: Russ <Russ.Cooper@RC.on.ca>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
The current 100% CPU usage does not fall into the category described
below indicating 100% utilization only when something else does not
require utilization.
After exploiting INETINFO and driving it to 100%, I then launched Excel
on the same machine. Utilization never dropped below 100% and Excel too
far longer to start than normal. After starting it, I shut it down,
still no dropback. I started IIS Manager to see if the exploited
INETINFO would allow me, it did, and I was able to start and stop
services, all without affecting the 100% utilization. Finally, I stopped
all the IIS services and immediately the INETINFO process disappeared
and utilization was normal. Starting the IIS services was successful,
and INETINFO started up again normal.
This bug is not in INETINFO, I know that for sure. There is no doubt the
process will peg the CPU at 100% until its stopped and does in fact tax
the CPU to 100%. As with the RPC bug, other processes can continue to
function as the pegged thread is at priority 8, again.
All of this testing has been done on NT 4.0 Server with SP2 and all 3
public fixes (that means with the kernel, ras, and rpc hot fixes).
Could someone please test this on their own IIS machine running on NT
3.51, do a portscan between 1020 and 1070 typically, and the first port
you find that responds, try the telnet to. Please, only do this to your
own machine. I very much need to know if this bug affects 3.51 machines
or not.
Speaking of which, can anyone confirm for sure that the RPC bug affected
their 3.51 machine? Obviously the message sent out from Microsoft was
that it only affected 4.0 machines, but I had a few people tell me they
saw it on their 3.51 boxes, but when pushed for confirmation, they
haven't responded.
Cheers,
Russ
R.C. Consulting, Inc. - NT/Internet Security Consulting
"Why does Plug-n-Play so often turn into Unplug-n-Pay?"
