[18093] in bugtraq
Re: Vulnerability Report For Microsoft Windows NT 4.0 MSTask.exe
daemon@ATHENA.MIT.EDU (jmcontreras)
Fri Dec 15 15:55:11 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <3A38A205.C083EFE2@axxis.com.mx>
Date: Thu, 14 Dec 2000 10:33:58 +0000
Reply-To: jmcontreras <jcontreras@AXXIS.COM.MX>
From: jmcontreras <jcontreras@AXXIS.COM.MX>
X-To: Ilia <sprite@lyceum.usu.ru>
To: BUGTRAQ@SECURITYFOCUS.COM
This problem i tested in Windows NT 4.0 (SP 5) and it working !!
I conect to the TCP 1027 port ...
The pogram that use the (near 100%) CPU is the msdtc.exe
byte ...
Ilia Sprite wrote:
> Vulnerability Report For Microsoft Windows NT 4.0 MSTask.exe code error
>
> Class: Unknown error
>
> Remotely Exploitable: Yes
>
> Locally Exploitable: Yes
>
> Risk: Medium
>
> Vendor status: Microsoft was notified on 7 December
>
> Vulnerability Description:
>
> MSTask.exe is an application that ships with the Windows NT 4.0
> A strange behavior was discovered in the MSTask.exe code.
> If exploited, this vulnerability allows and attacker to slow down
> vulnerable Windows NT and sometimes to freeze it.
>
> Vulnerable Packages/Systems:
> Microsoft Windows NT 4.0 Workstation
> other systems was not tested.
>
> Solution/Vendor Information/Workaround:
>
> No solution I have found yet.
>
> Technical Description - Exploit/Concept Code:
>
> Technical Description - Exploit/Concept Code:
>
> It appears to me, from testing I have done, that MSTask.exe, usually
> listening on TCP 1026 (or some high port) will cause memory to be consumed
> if it is connected to and some random characters are sent to it. After such
> a connection, eventually the machine will freeze. The only solution appears
> to be a reboot.
>
> MSTask.exe, however, only permits connections via the localhost, or
> 127.0.0.1, so on most systems such an attack would have to originate from
> someone at the console (or connected via Terminal Server).
>
> However, if WinGate or Winproxy installed on the system, system becames
> vulnerable for remote attackers, because they can connect to system's 1026 tcp
> port via wingate or winproxy, and connection will be accepted.
>
> To reproduce the problem, use Winnt 4.0 Workstation.
> Do the following:
>
> 1. Start telnet.exe
> 2. Menu->Connect->Remote System=127.0.0.1 , Port=1026
> 3. Press 'Connect' button
> 4. When it is connects, type some random characters and press enter.
> 5. Close telnet.exe.
>
> Now you can see in taskmanager, that CPU usage is near 100% because of MSTask.exe.
> Sometimes (not always) system halts, sometimes MStask.exe listens on 1027 port or higher.
> I have tried to do this not only at my computer - it's always works.
> Windows 95/98 not vulnerable, because they has no MSTask.exe :-)
> Windows 2000 Enterprise Server has MSTask.exe and listens at 1026 port, but I dont check it.
>
> Any updates for this information available at http://www.eng.securityelf.net/exploit.mstask.php4 .
>
> ...........................................................................
> "Security/Elf.Net" Project - http://www.securityelf.net
--
Juan Manuel Contreras G.
Consultor Especializado JAVA
Axxis Integrated Technology
jcontreras@axxis.com.mx
Ph.- (+52) 5203-1040
http://www.axxis.com.mx/
