[18080] in bugtraq
Re: Vulnerability Report For Microsoft Windows NT 4.0 MSTask.exe
daemon@ATHENA.MIT.EDU (Andrew Church)
Thu Dec 14 17:54:27 2000
Message-ID: <3a384de2.54064@prima-lan.net>
Date: Thu, 14 Dec 2000 13:31:01 JST
Reply-To: achurch@ACHURCH.ORG
From: Andrew Church <achurch@ACHURCH.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
Windows 2000 Professional (5.00.2195, Japanese version) has MSTask.exe
but does not seem to be vulnerable. There is nothing listening on port 1026,
and the only other listening ports I found (1025 and 1220) did not cause
unusual behavior when fed random data (1220 closed the connection, and 1025
just sat there and took it without any visible resource consumption).
--Andrew Church
achurch@achurch.org | New address - please note.
http://achurch.org/ | �$B%a!<%k%"%I%l%9$,JQ$o$j$^$7$?!#�(B
> Vulnerability Report For Microsoft Windows NT 4.0 MSTask.exe code error
>
>Class: Unknown error
>
>Remotely Exploitable: Yes
>
>Locally Exploitable: Yes
>
>Risk: Medium
>
>Vendor status: Microsoft was notified on 7 December
>
>Vulnerability Description:
>
> MSTask.exe is an application that ships with the Windows NT 4.0
> A strange behavior was discovered in the MSTask.exe code.
> If exploited, this vulnerability allows and attacker to slow down
> vulnerable Windows NT and sometimes to freeze it.
>
>Vulnerable Packages/Systems:
> Microsoft Windows NT 4.0 Workstation
> other systems was not tested.
>
>Solution/Vendor Information/Workaround:
>
> No solution I have found yet.
>
>Technical Description - Exploit/Concept Code:
>
>
>Technical Description - Exploit/Concept Code:
>
>It appears to me, from testing I have done, that MSTask.exe, usually
>listening on TCP 1026 (or some high port) will cause memory to be consumed
>if it is connected to and some random characters are sent to it. After such
>a connection, eventually the machine will freeze. The only solution appears
>to be a reboot.
>
>MSTask.exe, however, only permits connections via the localhost, or
>127.0.0.1, so on most systems such an attack would have to originate from
>someone at the console (or connected via Terminal Server).
>
>However, if WinGate or Winproxy installed on the system, system becames
>vulnerable for remote attackers, because they can connect to system's 1026 tcp
>port via wingate or winproxy, and connection will be accepted.
>
>To reproduce the problem, use Winnt 4.0 Workstation.
>Do the following:
>
>1. Start telnet.exe
>2. Menu->Connect->Remote System=127.0.0.1 , Port=1026
>3. Press 'Connect' button
>4. When it is connects, type some random characters and press enter.
>5. Close telnet.exe.
>
>Now you can see in taskmanager, that CPU usage is near 100% because of MSTask.exe.
>Sometimes (not always) system halts, sometimes MStask.exe listens on 1027 port or higher.
>I have tried to do this not only at my computer - it's always works.
>Windows 95/98 not vulnerable, because they has no MSTask.exe :-)
>Windows 2000 Enterprise Server has MSTask.exe and listens at 1026 port, but I dont check it.
>
>Any updates for this information available at http://www.eng.securityelf.net/exploit.mstask.php4 .
>
>...........................................................................
>"Security/Elf.Net" Project - http://www.securityelf.net
