'Re: [NTSEC] CPU Usage, Known NT 4.0 Security bugs'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: [NTSEC] CPU Usage, Known NT 4.0 Security bugs
From:       Aleph One <aleph1 () DFW ! NET>
Date:       1997-01-25 12:22:55
[Download RAW message or body]

At 10:30 PM 1/24/97 -0500, Russ wrote:
>After exploiting INETINFO and driving it to 100%, I then launched Excel
>on the same machine. Utilization never dropped below 100% and Excel too
>far longer to start than normal. After starting it, I shut it down,
>still no dropback. I started IIS Manager to see if the exploited
>INETINFO would allow me, it did, and I was able to start and stop
>services, all without affecting the 100% utilization. Finally, I stopped
>all the IIS services and immediately the INETINFO process disappeared
>and utilization was normal. Starting the IIS services was successful,
>and INETINFO started up again normal.
>
>This bug is not in INETINFO, I know that for sure. There is no doubt the
>process will peg the CPU at 100% until its stopped and does in fact tax
>the CPU to 100%. As with the RPC bug, other processes can continue to
>function as the pegged thread is at priority 8, again.
>
>All of this testing has been done on NT 4.0 Server with SP2 and all 3
>public fixes (that means with the kernel, ras, and rpc hot fixes).
>
>Could someone please test this on their own IIS machine running on NT
>3.51, do a portscan between 1020 and 1070 typically, and the first port
>you find that responds, try the telnet to. Please, only do this to your
>own machine. I very much need to know if this bug affects 3.51 machines
>or not.

  Yes, affects. I've tested on a NT Server 3.51 Build 1057 SP 4 (no
hotfixes), with IIS 1.0 (probably 1.0D Build 157, but I'm not shure).

  But it have a little diferent behaviour:

  CPU goes to 100%, but the main responsible is TCPSVCS, with 75%-80% of
CPU time.

  Netstat shows:

---------
Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    helen:1028             localhost:1324         CLOSE_WAIT
----------


  IIS seems to be running normaly (services and manager). Stopping and
restarting it do nothing to CPU utilization.

>
>Speaking of which, can anyone confirm for sure that the RPC bug affected
>their 3.51 machine? Obviously the message sent out from Microsoft was

  Yes, tested on the same computer.

>that it only affected 4.0 machines, but I had a few people tell me they
>saw it on their 3.51 boxes, but when pushed for confirmation, they
>haven't responded.



  Erich Siedler
  erich.siedler@omninet.com.br

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic