SrvSvc DoS confirmed

[Dave Aitel <dave () immunitysec com>]

Well, I can confirm (as can anyone in our Partner's program) that the 
srvsvc DoS works against up2date XP SP2, or at least, that it works 
against Justine's laptop. I'm fairly impressed with how well XP SP2 
handles a memory overload attack. It chugs along even with no ram left 
quite well. I can only imagine they have all the ram they need to run 
explorer and the desktop pre-allocated and you can't kick it out. Things 
get pretty choppy, of course, but it's at least...viewable. I think a 
few processes died maybe. It's hard to tell.

So to sum up:
XP SP2 is vulnerable to a memory denial of service from remote anonymous 
users via named pipes or other MSRPC. This is a lopsided attack and not 
a simple memory leak - I don't have to send millions of bytes, just 
about a hundred, and the target allocates as much ram as I want it to 
and then gets "funny". I imagine this is more annoying (aka 
catastrophic) if you're trying to run an Exchange server or something. I 
haven't tested on 2003 yet. That's next. :>

The srvsvc attack also works against the Win2K image I tested.

-dave