[18109] in bugtraq
Re: Vulnerability Report For Microsoft Windows NT 4.0 MSTask.exe
daemon@ATHENA.MIT.EDU (Geoffroy RIVAT)
Fri Dec 15 18:24:53 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Message-Id: <5.0.0.25.2.20001215103804.02e372c0@mail.sicfa.org>
Date: Fri, 15 Dec 2000 10:40:01 +0100
Reply-To: Geoffroy RIVAT <geoffroy@SICFA.ORG>
From: Geoffroy RIVAT <geoffroy@SICFA.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <3a384de2.54064@prima-lan.net>
At 14/12/00 05:31, you wrote:
> Windows 2000 Professional (5.00.2195, Japanese version) has MSTask.exe
>but does not seem to be vulnerable. There is nothing listening on port 1026,
>and the only other listening ports I found (1025 and 1220) did not cause
>unusual behavior when fed random data (1220 closed the connection, and 1025
>just sat there and took it without any visible resource consumption).
I have tested on Windows NT 4.0 Server SP5 fr
MSTask.exe is running, the only port open is 1032 but not vulnerable in remote.
On local : cpu usage grow quickly.
> --Andrew Church
> achurch@achurch.org | New address - please note.
> http://achurch.org/ | $B%a!<%k%"%I%l%9$,JQ$o$j$^$7$?!#(B
>
> > Vulnerability Report For Microsoft Windows NT 4.0 MSTask.exe code
> error
> >
> >Class: Unknown error
> >
> >Remotely Exploitable: Yes
> >
> >Locally Exploitable: Yes
> >
> >Risk: Medium
> >
> >Vendor status: Microsoft was notified on 7 December
> >
> >Vulnerability Description:
> >
> > MSTask.exe is an application that ships with the Windows NT 4.0
> > A strange behavior was discovered in the MSTask.exe code.
> > If exploited, this vulnerability allows and attacker to slow down
> > vulnerable Windows NT and sometimes to freeze it.
> >
> >Vulnerable Packages/Systems:
> > Microsoft Windows NT 4.0 Workstation
> > other systems was not tested.
> >
> >Solution/Vendor Information/Workaround:
> >
> > No solution I have found yet.
> >
> >Technical Description - Exploit/Concept Code:
> >
> >
> >Technical Description - Exploit/Concept Code:
> >
> >It appears to me, from testing I have done, that MSTask.exe, usually
> >listening on TCP 1026 (or some high port) will cause memory to be consumed
> >if it is connected to and some random characters are sent to it. After such
> >a connection, eventually the machine will freeze. The only solution appears
> >to be a reboot.
> >
> >MSTask.exe, however, only permits connections via the localhost, or
> >127.0.0.1, so on most systems such an attack would have to originate from
> >someone at the console (or connected via Terminal Server).
> >
> >However, if WinGate or Winproxy installed on the system, system becames
> >vulnerable for remote attackers, because they can connect to system's
> 1026 tcp
> >port via wingate or winproxy, and connection will be accepted.
> >
> >To reproduce the problem, use Winnt 4.0 Workstation.
> >Do the following:
> >
> >1. Start telnet.exe
> >2. Menu->Connect->Remote System=127.0.0.1 , Port=1026
> >3. Press 'Connect' button
> >4. When it is connects, type some random characters and press enter.
> >5. Close telnet.exe.
> >
> >Now you can see in taskmanager, that CPU usage is near 100% because of
> MSTask.exe.
> >Sometimes (not always) system halts, sometimes MStask.exe listens on
> 1027 port or higher.
> >I have tried to do this not only at my computer - it's always works.
> >Windows 95/98 not vulnerable, because they has no MSTask.exe :-)
> >Windows 2000 Enterprise Server has MSTask.exe and listens at 1026 port,
> but I dont check it.
> >
> >Any updates for this information available at
> http://www.eng.securityelf.net/exploit.mstask.php4 .
> >
> >...........................................................................
> >"Security/Elf.Net" Project - http://www.securityelf.net
--
Geoffroy RIVAT
geoffroy@sicfa.org
ICQ: 39955422
