Re: Win2K Local DoS?

[Dimitry Andric <dim () XS4ALL NL>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2000-08-04 at 10:14 Maxime Rousseau wrote:

> Oliver Friedrichs says:
> ! Once you have execute permission on a Windows system there's not
> ! alot limiting you from using resources.
>
> Very true, I fail to see the use of a local DoS. If you want to kill
> the machine the 'shutdown' feature comes to mind.

Only in Windows 2000 Professional do normal users have the privilege
to shutdown the machine, but this can be revoked by an administrator.
Normally that's a moot point, since the plug can always be pulled, of
course. :-)

But if you consider Windows 2000 (Advancer) Server, which also
includes Terminal Services, this really can be an effective DoS,
since you can keep the CPU at 100%, and refuse to log out. Then
again, you could also do this with a main(){for(;;);} type thingy. I
am not aware of any option to set CPU quota in Windows 2000, but
please correct me if I'm wrong.


> Dimitry Andric says:
> ! It simply checks for some reserved names, such as services.exe,

To follow up on myself here, examination of the taskmgr.exe file
indicates that the list of "unkillable" processes consists of:
services.exe, smss.exe, winlogon.exe, csrss.exe and dllhost.exe.
Strangely lsass.exe and some others aren't even included, while
they're certainly critical. This now seems to be even more of a
last-minute hack from the taskmgr developers than I thought at first.
;-)


> However I'm not quite sure to
> understand how you would not be able to use an OpenProcess() for
> something called services.exe.

OpenProcess() is called with a process id, not with a name. You
lookup the pid in the task manager list, pass it to OpenProcess() to
get a handle, and pass that to TerminateProcess() to finish off the
process. However, even as an administrator, calling OpenProcess()
with the pid of most of these system processes will fail with an
"Access denied" error. So you can't terminate those processes in this
manner (there are other ways, though). The NT4 version of Task
Manager just displays these errors if you try to kill any of the
system processes.


> IMHO, this is a rather serious flaw in the task manager. Imposing
> restrictions or assuming a critical process by a string match on its
> name is not even bad, its downright evil (i wonder if i rename my
> account administrator... heh). Maybe someone should contact MS?

I think they'll just say that if you have local access, you can DoS
the machine anyway. The only argument for removing this "feature" is
that it's prone to misuse by trojans and the like. You couldn't kill
services.exe anyway, so it can only be called superfluous.

Cheers,
- --
Dimitry Andric <dim () xs4all nl>
PGP key: http://www.xs4all.nl/~dim/dim.asc
KeyID: 4096/1024-0x2E2096A3
Fingerprint: 7AB4 62D2 CE35 FC6D 4239 4FCD B05E A30A 2E20 96A3

-----BEGIN PGP SIGNATURE-----
Version: Encrypted with PGP Plugin for Calypso
Comment: http://www.gn.apc.org/duncan/stoa_cover.htm

iQA/AwUBOYw+mbBeowouIJajEQKOFwCaAgXojCfYFYP7qBdhFlTyKt1IVLYAn1Iv
1EOhRF0Bwm1z5PtRn+oxyJhy
=QmuF
-----END PGP SIGNATURE-----