Bugtraq mailing list archives
NT vulnerable to attack on CPU
From: aleph1 () dfw net (Aleph One)
Date: Thu, 19 Dec 1996 13:40:58 -0600
http://www.pcweek.com/news/1216/18ent.html December 18, 1996 5:45 PM ET _NT vulnerable to attack on CPU_ _By Eamonn Sullivan_ Errors in the way Windows NT schedules concurrently running applications leave it vulnerable to a simple, but very effective, denial of service attack, according to a Windows NT expert. "This is a wide-open hole just waiting for exploitation by an ActiveX control," said Mark Russinovich, a consulting associate with Open Systems Resources Inc. who discovered the vulnerability this week. The flaw is particularly serious, since it can be easily exploited by an ActiveX control or by a Netscape plug-in. Russinovich wrote a simple utility that, while running with no special security privileges, is able to take complete control of any Windows NT server or workstation, rendering it useless for any other applications. The algorithm used by Windows NT to protect itself against such CPU-hogging attacks appears to be seriously flawed and ineffective, Russinovich said. The source code for the utility, which is called CpuHog, is available on the Web at www.ntinternals.com. _How it works_ Basically, Russinovich's program exploits a vulnerability in the way Windows NT schedules the execution of processes. Applications can set their own priority level, which affects how often Windows NT allows those applications to run. An application running under a user account with administrative privileges can set its priority to any of 32 levels, with the highest level giving it more time slices. Applications running under accounts without administrative privileges can set their priority to any of the first 16 of those levels. CpuHog sets its priority to the highest level available, which is level 16 when run by a normal user. Windows NT attempts to deal with CPU-hogging applications by boosting the priority of other applications. However, Russinovich found that Windows NT will only boost applications as high as level 15. Thus, all other applications - even system utilities such as Task Manager - never get a chance to execute while CpuHog is running. PC Week Labs was able to duplicate Russinovich's findings. When run on Windows NT 4.0, for example, the only way to regain control once CpuHog was executed was to reset the PC. _Old problem _ Hogging the CPU is one of the oldest known forms of denial of service attack. So old, in fact, that many operating systems have developed a defense. Many forms of Unix allow administrators to set limits on CPU usage by user - limiting any one user to 50 percent of available CPU cycles, for example. Almost all forms of Unix also automatically decrease the priority of the highest-priority processes when applications become starved for CPU time, which is the opposite of what Windows NT does. Russinovich said Microsoft could get around the problem fairly easily in one of two ways: Either increase the maximum priority given to other, CPU-starved applications above level 15, or increase the priority of the Task Manager above level 16, so that it can be used to end CPU-hogging applications. Microsoft officials contacted for this story did not have a comment, other than to say they are researching the problem. [LINK] _Copyright(c) 1996 Ziff-Davis Publishing Company. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Ziff-Davis Publishing Company is prohibited. PC Week and the PC Week logo are trademarks of Ziff-Davis Publishing Company. PC Week Online and the PC Week Online logo are trademarks of Ziff-Davis Publishing Company._ _Send mail to PC Week_
Current thread:
- Possible Denial of Service: SSH Sean B. Hamor (Dec 17)
- Re: Possible Denial of Service: SSH Paul Wouters (Dec 18)
- Re: Possible Denial of Service: SSH Jim Dennis (Dec 18)
- Re: Possible Denial of Service: SSH Toomas Soome (Dec 18)
- Re: Possible Denial of Service: SSH Jim Dennis (Dec 18)
- Re: Possible Denial of Service: SSH Sven Gestegard (Dec 18)
- Exploit for ppp bug (FreeBSD 2.1.0). Leshka Zakharoff (Dec 18)
- CIAC Bulletin H-17: cron/crontab Buffer Overrun Vulnerabilities David Crawford (Dec 19)
- NT vulnerable to attack on CPU Aleph One (Dec 19)
- CERT/AUCERT Mycroft (Dec 19)
- Re: CERT/AUCERT itudps (Dec 19)
- Re: CERT/AUCERT Aleph One (Dec 19)
- Re: CERT/AUCERT Theo de Raadt (Dec 19)
- Slow vendor response Alan Cox (Dec 20)
- CERT Bashing, etc Aleph One (Dec 19)
- Re: CERT/AUCERT Yuri Volobuev (Dec 19)
- Re: CERT/AUCERT Tung-Hui Hu (Dec 19)
- TCP bug on old Solaris box ? Gilles Soulet (Dec 20)
- Re: TCP bug on old Solaris box ? Nathan Lawson (Dec 21)
- Re: Possible Denial of Service: SSH Paul Wouters (Dec 18)