[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: NT vulnerable to attack on CPU
From: Aleph One <aleph1 () dfw ! net>
Date: 1996-12-19 13:40:58
[Download RAW message or body]
http://www.pcweek.com/news/1216/18ent.html
December 18, 1996 5:45 PM ET
_NT vulnerable to attack on CPU_
_By Eamonn Sullivan_
Errors in the way Windows NT schedules concurrently running
applications leave it vulnerable to a simple, but very effective,
denial of service attack, according to a Windows NT expert.
"This is a wide-open hole just waiting for exploitation by an ActiveX
control," said Mark Russinovich, a consulting associate with Open
Systems Resources Inc. who discovered the vulnerability this week. The
flaw is particularly serious, since it can be easily exploited by an
ActiveX control or by a Netscape plug-in.
Russinovich wrote a simple utility that, while running with no special
security privileges, is able to take complete control of any Windows
NT server or workstation, rendering it useless for any other
applications. The algorithm used by Windows NT to protect itself
against such CPU-hogging attacks appears to be seriously flawed and
ineffective, Russinovich said.
The source code for the utility, which is called CpuHog, is available
on the Web at www.ntinternals.com.
_How it works_
Basically, Russinovich's program exploits a vulnerability in the way
Windows NT schedules the execution of processes.
Applications can set their own priority level, which affects how often
Windows NT allows those applications to run. An application running
under a user account with administrative privileges can set its
priority to any of 32 levels, with the highest level giving it more
time slices. Applications running under accounts without
administrative privileges can set their priority to any of the first
16 of those levels.
CpuHog sets its priority to the highest level available, which is
level 16 when run by a normal user. Windows NT attempts to deal with
CPU-hogging applications by boosting the priority of other
applications. However, Russinovich found that Windows NT will only
boost applications as high as level 15. Thus, all other applications -
even system utilities such as Task Manager - never get a chance to
execute while CpuHog is running.
PC Week Labs was able to duplicate Russinovich's findings. When run on
Windows NT 4.0, for example, the only way to regain control once
CpuHog was executed was to reset the PC.
_Old problem _
Hogging the CPU is one of the oldest known forms of denial of service
attack. So old, in fact, that many operating systems have developed a
defense. Many forms of Unix allow administrators to set limits on CPU
usage by user - limiting any one user to 50 percent of available CPU
cycles, for example.
Almost all forms of Unix also automatically decrease the priority of
the highest-priority processes when applications become starved for
CPU time, which is the opposite of what Windows NT does.
Russinovich said Microsoft could get around the problem fairly easily
in one of two ways: Either increase the maximum priority given to
other, CPU-starved applications above level 15, or increase the
priority of the Task Manager above level 16, so that it can be used to
end CPU-hogging applications.
Microsoft officials contacted for this story did not have a comment,
other than to say they are researching the problem.
[LINK]
_Copyright(c) 1996 Ziff-Davis Publishing Company. All rights reserved.
Reproduction in whole or in part in any form or medium without express
written permission of Ziff-Davis Publishing Company is prohibited. PC
Week and the PC Week logo are trademarks of Ziff-Davis Publishing
Company. PC Week Online and the PC Week Online logo are trademarks of
Ziff-Davis Publishing Company._
_Send mail to PC Week_
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic