Re: Win2K Local DoS?

[Nicolas Rachinsky <rnicolas () GMX NET>]

Try following to kill any NT4 machine I know (up to SP5 including Terminalserver).
Start the following batch file.
---sexporn.bat----
:a
start sexporn.bat
goto a
----
It rendered all the test machines unusable within few seconds.
Nicolas

----- Original Message ----- 
From: Kevin Stephenson <kevin.stephenson () POBOX COM>
To: <VULN-DEV () SECURITYFOCUS COM>
Sent: Sunday, August 06, 2000 6:57 AM
Subject: Re: Win2K Local DoS?


> I'm a bit out of my league here, but if a company wanted to physically
> secure their hardware (at least the power button and cord) and try to
> harden their Win2k Pro boxes in order to try and get some Orange Book level
> certification, aren't they fundamentally screwed because of things like
> this? I think this idea can be further developed into a nasty little DoS
> attack somehow. See page 550 in the Win2K Pro Resource Kit. It has some
> information about Increase Quotas and Increase Scheduling Priority Local
> Policies.
>
> It might be a good idea to write a program that runs as a service at the
> Local System level that monitors for rogue processes and lowers their
> priorities to thwart a DoS attack in lieu of process quotas, which appear
> to be missing in all Microsoft OSes. This would be a non-trivial
> programming task. So much for being an Enterprise class OS. Apparently any
> half-wit can take down an Advanced/Datacenter server.
>
> At 07:19 PM 8/5/2000 +0200, you wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 2000-08-04 at 10:14 Maxime Rousseau wrote:
>
>  >Oliver Friedrichs says:
>  >! Once you have execute permission on a Windows system there's not
>  >! alot limiting you from using resources.
>  >
>  >Very true, I fail to see the use of a local DoS. If you want to kill
>  >the machine the 'shutdown' feature comes to mind.
>
> Only in Windows 2000 Professional do normal users have the privilege
> to shutdown the machine, but this can be revoked by an administrator.
> Normally that's a moot point, since the plug can always be pulled, of
> course. :-)
>
> But if you consider Windows 2000 (Advancer) Server, which also
> includes Terminal Services, this really can be an effective DoS,
> since you can keep the CPU at 100%, and refuse to log out. Then
> again, you could also do this with a main(){for(;;);} type thingy. I
> am not aware of any option to set CPU quota in Windows 2000, but
> please correct me if I'm wrong.
>
>
>  >Dimitry Andric says:
>  >! It simply checks for some reserved names, such as services.exe,
>
> To follow up on myself here, examination of the taskmgr.exe file
> indicates that the list of "unkillable" processes consists of:
> services.exe, smss.exe, winlogon.exe, csrss.exe and dllhost.exe.
> Strangely lsass.exe and some others aren't even included, while
> they're certainly critical. This now seems to be even more of a
> last-minute hack from the taskmgr developers than I thought at first.
> ;-)
>
>
>  >However I'm not quite sure to
>  >understand how you would not be able to use an OpenProcess() for
>  >something called services.exe.
>
> OpenProcess() is called with a process id, not with a name. You
> lookup the pid in the task manager list, pass it to OpenProcess() to
> get a handle, and pass that to TerminateProcess() to finish off the
> process. However, even as an administrator, calling OpenProcess()
> with the pid of most of these system processes will fail with an
> "Access denied" error. So you can't terminate those processes in this
> manner (there are other ways, though). The NT4 version of Task
> Manager just displays these errors if you try to kill any of the
> system processes.
>
>
>  >IMHO, this is a rather serious flaw in the task manager. Imposing
>  >restrictions or assuming a critical process by a string match on its
>  >name is not even bad, its downright evil (i wonder if i rename my
>  >account administrator... heh). Maybe someone should contact MS?
>
> I think they'll just say that if you have local access, you can DoS
> the machine anyway. The only argument for removing this "feature" is
> that it's prone to misuse by trojans and the like. You couldn't kill
> services.exe anyway, so it can only be called superfluous.
>
> Cheers,
> - --
> Dimitry Andric <dim () xs4all nl>
> PGP key: http://www.xs4all.nl/~dim/dim.asc
> KeyID: 4096/1024-0x2E2096A3
> Fingerprint: 7AB4 62D2 CE35 FC6D 4239 4FCD B05E A30A 2E20 96A3
>
> -----BEGIN PGP SIGNATURE-----
> Version: Encrypted with PGP Plugin for Calypso
> Comment: http://www.gn.apc.org/duncan/stoa_cover.htm
>
> iQA/AwUBOYw+mbBeowouIJajEQKOFwCaAgXojCfYFYP7qBdhFlTyKt1IVLYAn1Iv
> 1EOhRF0Bwm1z5PtRn+oxyJhy
> =QmuF
> -----END PGP SIGNATURE-----