Re: Win95/98 and Novell client DoS

[mrenner () GENLYTE COM (Michael Renner)]

After a little searching around....
  Novell was apparently aware of this exploit, as it has been eliminated with the Win95/98 v3.1 client (now at SP2 as 
of 10/03/1999).  See Novell TID2948363 at http://support.novell.com for details.
  Have a good weekend!!

Michael J. Renner
Network/UNIX-PC System Administrator
HADCO Lighting, Genlyte-Thomas Group LLC

> > > Bruce Dennison <dennis_b () POPMAIL FIRN EDU> 10/08/1999 16:37:59 >>>
FYI,

Perhaps this has been reported.  I havent seen it.  If it has been
previously reported, sorry.  Consider this a reminder.

Novell client opens port 427 TCP.  My services file reports this port to be
known as 'svrloc'.  You can bluescreen Win95/98 with Novell Client versions
3.0 and 3.0.1 by sending a SYN to this port, as you would with 'nmap -sS -p
427 <target>'.  This is quite fatal.  The only recovery seems to be a power
reset.

If one uses a spoofed source address, sweeps a hundred or two class C's or
so once every several minutes with nmap and a simple script, one could keep
large numbers of business and govermental workstations offline for long
periods of time.

This works well on single machines or with bulk scans.  It makes a lot of
people very mad very quickly all at once.  No one here on the LAN has
figured out it was me yet, so I am still alive.

I am not the workstation, LAN or Novell person in my shop.  Its not my
problem to deal with even though I found it.  I can not test this any
further.  The only way I have found to stop it is to remove the Novell
Client from my machine.  Can someone confirm this?  Does anyone have any
more or better information on this?

thanx,

Bruce Dennison