Vulnerability Development mailing list archives
Re: Win2K Local DoS?
From: Dimitry Andric <dim () XS4ALL NL>
Date: Sat, 5 Aug 2000 19:19:37 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2000-08-04 at 10:14 Maxime Rousseau wrote:
Oliver Friedrichs says: ! Once you have execute permission on a Windows system there's not ! alot limiting you from using resources. Very true, I fail to see the use of a local DoS. If you want to kill the machine the 'shutdown' feature comes to mind.
Only in Windows 2000 Professional do normal users have the privilege to shutdown the machine, but this can be revoked by an administrator. Normally that's a moot point, since the plug can always be pulled, of course. :-) But if you consider Windows 2000 (Advancer) Server, which also includes Terminal Services, this really can be an effective DoS, since you can keep the CPU at 100%, and refuse to log out. Then again, you could also do this with a main(){for(;;);} type thingy. I am not aware of any option to set CPU quota in Windows 2000, but please correct me if I'm wrong.
Dimitry Andric says: ! It simply checks for some reserved names, such as services.exe,
To follow up on myself here, examination of the taskmgr.exe file indicates that the list of "unkillable" processes consists of: services.exe, smss.exe, winlogon.exe, csrss.exe and dllhost.exe. Strangely lsass.exe and some others aren't even included, while they're certainly critical. This now seems to be even more of a last-minute hack from the taskmgr developers than I thought at first. ;-)
However I'm not quite sure to understand how you would not be able to use an OpenProcess() for something called services.exe.
OpenProcess() is called with a process id, not with a name. You lookup the pid in the task manager list, pass it to OpenProcess() to get a handle, and pass that to TerminateProcess() to finish off the process. However, even as an administrator, calling OpenProcess() with the pid of most of these system processes will fail with an "Access denied" error. So you can't terminate those processes in this manner (there are other ways, though). The NT4 version of Task Manager just displays these errors if you try to kill any of the system processes.
IMHO, this is a rather serious flaw in the task manager. Imposing restrictions or assuming a critical process by a string match on its name is not even bad, its downright evil (i wonder if i rename my account administrator... heh). Maybe someone should contact MS?
I think they'll just say that if you have local access, you can DoS the machine anyway. The only argument for removing this "feature" is that it's prone to misuse by trojans and the like. You couldn't kill services.exe anyway, so it can only be called superfluous. Cheers, - -- Dimitry Andric <dim () xs4all nl> PGP key: http://www.xs4all.nl/~dim/dim.asc KeyID: 4096/1024-0x2E2096A3 Fingerprint: 7AB4 62D2 CE35 FC6D 4239 4FCD B05E A30A 2E20 96A3 -----BEGIN PGP SIGNATURE----- Version: Encrypted with PGP Plugin for Calypso Comment: http://www.gn.apc.org/duncan/stoa_cover.htm iQA/AwUBOYw+mbBeowouIJajEQKOFwCaAgXojCfYFYP7qBdhFlTyKt1IVLYAn1Iv 1EOhRF0Bwm1z5PtRn+oxyJhy =QmuF -----END PGP SIGNATURE-----
Current thread:
- Win2K Local DoS? Kevin Stephenson (Aug 03)
- Re: Win2K Local DoS? Dimitry Andric (Aug 03)
- Re: Win2K Local DoS? Alexander Sanda (Aug 03)
- Re: Win2K Local DoS? LordRaYden (Aug 05)
- <Possible follow-ups>
- Re: Win2K Local DoS? Oliver Friedrichs (Aug 03)
- Re: Win2K Local DoS? Maxime Rousseau (Aug 05)
- Re: Win2K Local DoS? Dimitry Andric (Aug 05)
- Re: Win2K Local DoS? Kevin Stephenson (Aug 06)
- Re: Win2K Local DoS? Mikael Olsson (Aug 08)
- Re: Win2K Local DoS? Nicolas Rachinsky (Aug 09)
- Re: Win2K Local DoS? Dimitry Andric (Aug 05)
- Re: Win2K Local DoS? pantera (Aug 05)
- Re: Win2K Local DoS? bfiero (Aug 09)
- Re: Win2K Local DoS? Timothy J. Miller (Aug 10)
- Re: Win2K Local DoS? Richard Rager (Aug 14)
- Re: Win2K Local DoS? Timothy J. Miller (Aug 10)