FSC Internet / SecureXpert Labs

SecureXpert Labs Advisory [SX-20000620-1] - Denial of Service
vulnerability in Microsoft Windows 2000 Telnet Server

Summary

Microsoft Windows 2000 Server is supplied with a Telnet server for remote
console access.  A Denial of Service vulnerability exists in this server which
may be exploited by a local or remote attacker.

Details

A remote user can cause the telnet server to stop responding to requests by
sending a stream of binary zeros to the telnet server.  This can easily be
reproduced from a Linux system using netcat with an input of /dev/zero,
with a command such as "nc target.host 23 < /dev/zero".  The Windows
2000 Telnet Server stops responding to requests after a few seconds.  If
the Telnet Server is set to restart upon failure, it will restart and
immediately fail. This will occur repeatedly until the Telnet Server exceeds
its restart count, at which point the service remains down.

Status

Microsoft Corp. has been informed of this vulnerability, and has assigned it
incident ID# [MSRC 290].  As of Tuesday June 2000, Microsoft has successfully
reproduced the vulnerability and SecureXpert Labs staff are working with Microsoft
to prepare a fix.

Credits

Mike Murray, SecureXpert Labs
Max Degtyar, SecureXpert Labs
Richard Reiner, SecureXpert Labs

About SecureXpert DIRECT

SecureXpert DIRECT is an advance security advisory service provided by
SecureXpert Labs.  Subscriptions are free of charge and may be obtained
online at http://www.securexpert.com/services.html.

Multiple ports/protocols partial Denial of Service in Microsoft Windows 2000 Server

FSC Internet Corp. / SecureXpert Labs

SecureXpert Labs Advisory [SX-20000620-2] - Multiple ports/protocols
partial Denial of Service in Microsoft Windows 2000 Server

Summary

Multiple ports and protocols on Microsoft Windows 2000 Server are susceptible
to a simple network attack which raises CPU utilization on Windows 2000
Server to 100%.

Details

Multiple services on Windows 2000 Server are vulnerable to a simple attack which
allows remote network users to drive the CPU utilization to 100% in an
extremely short period of time, at little cost to the attacker's machine.

The ports that were found vulnerable include TCP ports 7, 9, 21, 23, 7778
and UDP ports 53, 67, 68, 135, 137, 500, 1812, 1813, 2535, 3456.

While this attack does not cause an immediate lockup of the machine, it
does cause excessive CPU resource utilization on the target machine.

This can easily be reproduced from a Linux system using netcat with an input
of /dev/zero, with a command such as "nc target.host 7 < /dev/zero" for the
TCP variant or "nc -u target.host 53 < /dev/zero" for the UDP variant.

Due to the large number of services affected, this could likely allow a
very quick and easy distributed attack

Status

Microsoft Corp. has been informed of this vulnerability, and has assigned it
incident ID# [MSRC 291].  SecureXpert Labs staff are working with
Microsoft to reproduce the vulnerability and prepare a fix.

Credits

Mike Murray, SecureXpert Labs
Max Degtyar, SecureXpert Labs
Richard Reiner, SecureXpert Labs

About SecureXpert DIRECT

SecureXpert DIRECT is an advance security advisory service provided by
SecureXpert Labs.  Subscriptions are free of charge and may be obtained
online at http://www.securexpert.com/services.html.

 

Author information. Copyright © [Telecom and Logistics Associates Sàrl]. All rights reserved. Revised: juillet 05, 2000 .

All information provided is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the facts of the particular situation.