[7731] in bugtraq
[NTSEC] (It gets worse) NT vulnerable to DOS attack on more than
daemon@ATHENA.MIT.EDU (Bob Beck (by way of Christopher Kl)
Thu Aug 20 14:42:51 1998
Date: Sat, 25 Jan 1997 12:08:08 -0600
Reply-To: "Bob Beck (by way of Christopher Klaus <beck@obtuse.com>)" <beck@obtuse.com>
From: "Bob Beck (by way of Christopher Klaus <beck@OBTUSE.COM>)" <beck@OBTUSE.COM>
To: BUGTRAQ@NETSPACE.ORG
>
> This is clearly the biggest bug yet. I can kill all of the services of
> MS Exchange Server, as well as INETINFO (MSX doesn't rely on INETINFO).
> So clearly this bad code has been used in numerous products.
>
> Cheers,
> Russ
> R.C. Consulting, Inc. - NT/Internet Security Consulting
> "Why does Plug-n-Play so often turn into Unplug-n-Pay?"
Owch.. Yep.. looks like it's both dynamic (i.e. port 1031
isn't always the port it ends up on) and it's used in more than just
that. The box I tried it on first was pretty stock. I tried it on a
loaded up box (Exchange and Winframe 3.51) and there are *lots* of
ports that little perl script kills it on. Good thing I have an
extremely anal-retentive packet filter in front of that one :-)
So it looks like all you need to is use that perl script (or
modify Proff's strobe program to heave something at the port when it
connects) and lots of things hardloop. Sorry kids, it's not another static
port, It's all over the place int MS's code. so it depends what you run
on your server.
The released microsoft fix does *NOT* fix this. it ONLY fixes
the problem on port 135.
-Bob
--
Bob Beck Obtuse Systems Corporation
beck@obtuse.com http://www.obtuse.com/
True Evil hides its real intentions in its street address. Search and you
shall find it, and the truth shall set you free.
