Full Disclosure mailing list archives

Who Cried Wolf???!? (or, Who's Shell32.exe?) [was: Local DoS in windows]

From: "Arcturus" <arcturus () secrev net>
Date: Sun, 12 Oct 2003 08:49:50 -0400

In reference to the alleged DoS in Windows... 

FIRST AND FOREMOST

IF YOU DOWNLOAD AND INSTALL SOMEONE ELSE'S CORE WINDOWS FILES ONTO YOUR
SYSTEM, YOU CANNOT EXPECT YOUR SYSTEM TO OPERATE IN THE FASHION THAT IT WAS
ORIGINALLY PRODUCED.  (see the definition of Stupidity, below)  

<soapbox rant>And as far as "bipin gautam"'s website, it's a very poor
excuse for someone that doesn't understand operating systems.  For example,
his Bypass WinXP Logs "TRICK" assumes that the guest account is not
disabled, and that my system won't shutdown when the security event log
cannot be written to.  This "trick" will not work in any reasonably
configured environment.  His other "Tricks" are nothing more than a lack of
understanding of a GUI system, and OS.  While he claims to have forwarded
these to Microsoft, I'm sure that they view these with the same "So What"
attitude that I have.  No bug, no threat, no skill.  This "hunter" makes
assumptions that everyone allows "guest" access to systems, and that
"normal" users have direct access to critical windows system files.  If this
is true of any system, that guest access is enabled without any
restrictions, ANY SYSTEM can be SUBVERTED.</soapbox rant>.

Regarding the "Local DoS in windows", I have the same results as "Joe".  It
does NOT effect my Windows XP system.  Details of the system are under my
signature block.

A short system summary:
AMD T-Bird Processor, 1.4
512Mb RAM.
Dual Monitor, with an NVIDIA and ATI Adapters.
Fully Licensed XP
Fully Licensed Office 2003
SQL 2000 Running on Box
I AM NOT RUNNING SOMEONE ELSE'S HACKED SOFTWARE.

I use this box as my workstation at home, and my test bed for work.  I have
not seen any issues relating to any DoS on my box, unless I begin
downloading files and starve my 100 Mbps Network.

I suggest that the persons who reported this "bug" ("bipin gautam") learn
how to use the performance monitor, and determine what processes and/or
threads are actually running the box at 100% utilization, as it sounds that
they are running an out-of-date video driver, or as Joe suggests, they have
hacked their own shell32.dll to death.

Just my 2¢, YMMV.

-
Arcturus
CISSP, CCSE+, CNX.

Stupidity:  This is the act of doing the same thing over and over again, and
expecting a different result each time.

System Summary:

OS Name Microsoft Windows XP Professional
Version 5.1.2600 Service Pack 1 Build 2600
OS Manufacturer Microsoft Corporation
System Name     <Like I'm telling you>
System Manufacturer     System Manufacturer
System Model    Product Name
System Type     X86-based PC
Processor       x86 Family 6 Model 4 Stepping 4 AuthenticAMD ~1400 Mhz
BIOS Version/Date       Award Software International, Inc. 6.00 PG, 3/7/2001
SMBIOS Version  2.3
Windows Directory       C:\WINDOWS
System Directory        C:\WINDOWS\System32
Boot Device     \Device\HarddiskDmVolumes\DFFDg0\Volume1
Locale  United States
Hardware Abstraction Layer      Version = "5.1.2600.1106
(xpsp1.020828-1920)"
User Name       <See System Name>
Time Zone       Eastern Standard Time
Total Physical Memory   512.00 MB
Available Physical Memory       11.70 MB
Total Virtual Memory    873.43 MB
Available Virtual Memory        320.10 MB
Page File Space 617.95 MB
Page File       C:\pagefile.sys

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of Joe
Sent: Saturday, October 11, 2003 9:32 PM
To: Full-Disclosure () lists netsys com
Cc: bugtraq () securityfocus com
Subject: RE: [Full-disclosure] Local DoS in windows.

Umm nope, not on my XP SP1 machine. I have about 15 windows running and avg
1% utilization. I do your little trick and there is no change. 

Though maybe it is because my machine is one of those really fast 900Mhz
PIII's. 

Maybe the problem is you are running a hacked version of shell32.dll from
http://www.geocities.com/visitbipin/ and he screwed it up. 

Thanks for playing.

   joe


-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of bipin gautam
Sent: Friday, October 10, 2003 1:18 PM
To: Full-Disclosure () lists netsys com
Cc: bugtraq () securityfocus com

--- [Affected] ---
We have only tried it in windows Xp.

--- [Bug Details] ---
http://www.geocities.com/visitbipin/win_dos.jpg
The image is self explanatory...

--- [Description] ---
When you click to "any" close, maximize or minimize button's in windows Xp,
[No matter whether it's IE or a WordPad] surprisingly there is 100% CPU use
at the instant and it continues............ until you release the button!
Moreover, we've noticed if you continuously click the button for a long time
[... not release it and hold ON ] we've seen gradual/slow rise in page-file
use too...!!!

--- [Conclusion] ---
Hell... local DoS! That could be used by employees working at different
terminal..... (O;



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: Local DoS in windows., (continued)
- - - Re: Local DoS in windows. Cael Abal (Oct 10)
    - Re: Local DoS in windows. [finally...] bipin gautam (Oct 10)
    - RE: Local DoS in windows. bipin gautam (Oct 10)
    - RE: Local DoS in windows. bipin gautam (Oct 10)
    - Re: Local DoS in windows. Richard Spiers (Oct 11)
    - Re: Local DoS in windows. Valdis . Kletnieks (Oct 11)
    - Re: Local DoS in windows. npguy (Oct 11)
    - Re: Local DoS in windows. bipin gautam (Oct 12)
    - Re: Local DoS in windows. [indeed it works... PROOF?] bipin gautam (Oct 12)
  - RE: Local DoS in windows. Joe (Oct 11)
    - Who Cried Wolf???!? (or, Who's Shell32.exe?) [was: Local DoS in windows] Arcturus (Oct 12)