Vulnerability Development mailing list archives
Re: Win2K Local DoS?
From: Nicolas Rachinsky <rnicolas () GMX NET>
Date: Tue, 8 Aug 2000 21:47:43 +0200
Try following to kill any NT4 machine I know (up to SP5 including Terminalserver). Start the following batch file. ---sexporn.bat---- :a start sexporn.bat goto a ---- It rendered all the test machines unusable within few seconds. Nicolas ----- Original Message ----- From: Kevin Stephenson <kevin.stephenson () POBOX COM> To: <VULN-DEV () SECURITYFOCUS COM> Sent: Sunday, August 06, 2000 6:57 AM Subject: Re: Win2K Local DoS?
I'm a bit out of my league here, but if a company wanted to physically secure their hardware (at least the power button and cord) and try to harden their Win2k Pro boxes in order to try and get some Orange Book level certification, aren't they fundamentally screwed because of things like this? I think this idea can be further developed into a nasty little DoS attack somehow. See page 550 in the Win2K Pro Resource Kit. It has some information about Increase Quotas and Increase Scheduling Priority Local Policies. It might be a good idea to write a program that runs as a service at the Local System level that monitors for rogue processes and lowers their priorities to thwart a DoS attack in lieu of process quotas, which appear to be missing in all Microsoft OSes. This would be a non-trivial programming task. So much for being an Enterprise class OS. Apparently any half-wit can take down an Advanced/Datacenter server. At 07:19 PM 8/5/2000 +0200, you wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2000-08-04 at 10:14 Maxime Rousseau wrote: >Oliver Friedrichs says: >! Once you have execute permission on a Windows system there's not >! alot limiting you from using resources. > >Very true, I fail to see the use of a local DoS. If you want to kill >the machine the 'shutdown' feature comes to mind. Only in Windows 2000 Professional do normal users have the privilege to shutdown the machine, but this can be revoked by an administrator. Normally that's a moot point, since the plug can always be pulled, of course. :-) But if you consider Windows 2000 (Advancer) Server, which also includes Terminal Services, this really can be an effective DoS, since you can keep the CPU at 100%, and refuse to log out. Then again, you could also do this with a main(){for(;;);} type thingy. I am not aware of any option to set CPU quota in Windows 2000, but please correct me if I'm wrong. >Dimitry Andric says: >! It simply checks for some reserved names, such as services.exe, To follow up on myself here, examination of the taskmgr.exe file indicates that the list of "unkillable" processes consists of: services.exe, smss.exe, winlogon.exe, csrss.exe and dllhost.exe. Strangely lsass.exe and some others aren't even included, while they're certainly critical. This now seems to be even more of a last-minute hack from the taskmgr developers than I thought at first. ;-) >However I'm not quite sure to >understand how you would not be able to use an OpenProcess() for >something called services.exe. OpenProcess() is called with a process id, not with a name. You lookup the pid in the task manager list, pass it to OpenProcess() to get a handle, and pass that to TerminateProcess() to finish off the process. However, even as an administrator, calling OpenProcess() with the pid of most of these system processes will fail with an "Access denied" error. So you can't terminate those processes in this manner (there are other ways, though). The NT4 version of Task Manager just displays these errors if you try to kill any of the system processes. >IMHO, this is a rather serious flaw in the task manager. Imposing >restrictions or assuming a critical process by a string match on its >name is not even bad, its downright evil (i wonder if i rename my >account administrator... heh). Maybe someone should contact MS? I think they'll just say that if you have local access, you can DoS the machine anyway. The only argument for removing this "feature" is that it's prone to misuse by trojans and the like. You couldn't kill services.exe anyway, so it can only be called superfluous. Cheers, - -- Dimitry Andric <dim () xs4all nl> PGP key: http://www.xs4all.nl/~dim/dim.asc KeyID: 4096/1024-0x2E2096A3 Fingerprint: 7AB4 62D2 CE35 FC6D 4239 4FCD B05E A30A 2E20 96A3 -----BEGIN PGP SIGNATURE----- Version: Encrypted with PGP Plugin for Calypso Comment: http://www.gn.apc.org/duncan/stoa_cover.htm iQA/AwUBOYw+mbBeowouIJajEQKOFwCaAgXojCfYFYP7qBdhFlTyKt1IVLYAn1Iv 1EOhRF0Bwm1z5PtRn+oxyJhy =QmuF -----END PGP SIGNATURE-----
Current thread:
- Win2K Local DoS? Kevin Stephenson (Aug 03)
- Re: Win2K Local DoS? Dimitry Andric (Aug 03)
- Re: Win2K Local DoS? Alexander Sanda (Aug 03)
- Re: Win2K Local DoS? LordRaYden (Aug 05)
- <Possible follow-ups>
- Re: Win2K Local DoS? Oliver Friedrichs (Aug 03)
- Re: Win2K Local DoS? Maxime Rousseau (Aug 05)
- Re: Win2K Local DoS? Dimitry Andric (Aug 05)
- Re: Win2K Local DoS? Kevin Stephenson (Aug 06)
- Re: Win2K Local DoS? Mikael Olsson (Aug 08)
- Re: Win2K Local DoS? Nicolas Rachinsky (Aug 09)
- Re: Win2K Local DoS? Dimitry Andric (Aug 05)
- Re: Win2K Local DoS? pantera (Aug 05)
- Re: Win2K Local DoS? bfiero (Aug 09)
- Re: Win2K Local DoS? Timothy J. Miller (Aug 10)
- Re: Win2K Local DoS? Richard Rager (Aug 14)
- Re: Win2K Local DoS? Timothy J. Miller (Aug 10)