Bugtraq mailing list archives
Re: Possible DoS attack to NT boxes running OpenNT 2.1
From: jason_zions () INTERIX COM (Jason Zions)
Date: Tue, 4 Aug 1998 17:24:08 -0700
Nemo <NemoII () ASTURIES ORG> (or possibly n3m0 () hotmail com) said: --- There's a possible Denial of Service attack to NT boxes running OpenNT 2.1 over a Telnet conecction (I could not test if any earlier version is affected). Any NT machine running the telnet daemon included in OpenNT is vulnerable to this attack. This vulnerability is related with the fact that OpenNT Unix consoles allow to run win32 applications (both GUI and text based) through the command line. The same happens when a client connects to an OpenNT telnetd: the client is allowed to launch and run win32 applications... --- And then he proceeded to give an example of the DoS attack: telnetting to an NT system, logging on, and running a Win32 GUI program which appeared to be unkillable. There's two things wrong with this. First, it's hardly a DoS attack when you had to authenticate yourself to the system to make the attack. If an admin saw several dozen instances of a Win32 app belonging to user Nemo, said admin could simply call up Nemo and yell at him for sucking up memory. There's no anonymous attack here; no username/password, no access. Second, the Win32 GUI app is running just fine, in a non-displayed Windows Station. It is consuming some resources, but mostly swap space; no CPU time, once the app has started up and is waiting for user input. A user with appropriate privileges (say, Administrator) should be able to use TKILL.EXE or the Task Manager or any other appropriate utility to shoot the non-visible GUI app. Certainly, Nemo could log back on via telnet and shoot his own non-visible GUI app via tkill. Yes, PSXSS.EXE is unkillable, even by the Administrator. So is CSRSS.EXE, which serves the same purpose for Win32 as PSXSS.EXE does for OpenNT. Only one instance of these protected-mode user space subsystem servers will ever run, and "protected" means just that. Jason Zions Softway Systems Inc. (the OpenNT folks. 'cept it's now called Interix.) http://www.interix.com
Current thread:
- Possible DoS attack to NT boxes running OpenNT 2.1 Nemo (Aug 03)
- <Possible follow-ups>
- Re: Possible DoS attack to NT boxes running OpenNT 2.1 Jason Zions (Aug 04)
- Re: Possible DoS attack to NT boxes running OpenNT 2.1 n3m0 (Aug 15)
- Explorer & ActiveX Adam Shostack (Aug 14)
- Re: Possible DoS attack to NT boxes running OpenNT 2.1 David LeBlanc (Aug 15)
- Re: Possible DoS attack to NT boxes running OpenNT 2.1 n3m0 (Aug 15)
- Re: Possible DoS attack to NT boxes running OpenNT 2.1 Robert Fesig (Aug 16)