Windows Detected
Impact
A Windows operating system has been detected, which may be vulnerable to one or more
Denial of Service (DoS) attacks. Windows 95/98 and Windows NT 3.51/4.0 are vulnerable to these
DoS attacks.
Background
Windows operating systems are vulnerable to a number of Denial of Service attacks, most of which
cause target systems to lose connectivity to the Internet, and in some cases may cause the loss of
sensitive data and/or files. For information purposes, several of these DoS attacks will be listed below.
WWDSI has written up advisories of many Denial of Service attacks, such as
Boink,
Bonk,
Jolt,
Land,
Nestea,
Newtear,
Syn Flooding,
Teardrop,
WinNuke and
Smurf/Fraggle.
Other attacks that WWDSI has not yet written advisories for include:
- Out of Band (OOB) data attacks: Windows machines that allow access to port 139 may be
vulnerable to this type of attack. Essentially, a hacker connects to port 139, usually with telnet, and
then sends a specific amount of data to the port. The result is that Windows NT machines will crash and
indicates a problem in TCPIP.SYS. Windows 95 machines may or may not crash. In both cases, a simple
reboot is usually enough to fix the problem. Microsoft's DNS problem may also be at risk to these
types of attacks (on port 53). Read Nt Security's
OOB Attacks page for information on this attack and possible fixes and/or workarounds for this
vulnerability.
- SMS Vulnerability: Recently, WWDSI discovered a vulnerability in Microsoft's SMS
(Systems Management Server). Specifically if the SMS UDP ports, (1761, 1762 and possibly others)
are scanned, the SMS process will progressively occupy more and more space in virtual memory, until
none is left for other applications. If the SMS process is left unchecked, the system will eventually
crash in 1 to 12 hours. Microsoft has been alerted to the presence of this vulnerability, but
there is no estimated time as to when a patch will be available. As of this writing, no workarounds
for this vulnerability have been identified.
- Exchange Internet Mail Service DoS Attack: Vulnerabilities have been identified in the
Exchange Internet Mail Service (IMS), which uses the SMTP protocol, and the Information Store, which
uses the NNTP protocol. Essentially, the problem occurs when certain commands are fed to the two
services named above. An attacker exploiting these vulnerabilities can crash a Microsoft
Exchange Server over the network, which in turn will stop e-mail and other services that Exchange
provides for the organization. The recommended fix for these vulnerabilities is to install patches
for the affected versions, 5.0/5.5. Read the FEDCIRC
Exchange
Vulnerability page for more information. Also, visit the
Microsoft Knowledge Base
and read articles Q188369 and Q188341 for more information and to get the patches.
The Problem
While this page was not intended to give an exhaustive listing of all relevant Denial of Service
attacks to which Windows operating systems may be vulnerable, those listed are perhaps the most
popular in the hacker community. The main problem in defending systems and networks against these
and other types of attacks is a lack of information, and thus, a lack of understanding of the risks
presented by hackers and malicious users.
Resolution
WWDSI strongly encourages its customers to stay abreast of the emerging threats posed by hackers
and malicious users. We also strongly encourage customers to study and understand security issues
in general, and security measures to implement on specific operating systems. Below will be listed several links
to sites that we have found useful in our efforts to promote good security habits. Often times,
keeping ahead of the security curve can feel like a full time job, but in the end the old saying
is still true: an ounce of prevention is worth a pound of cure. The best weapon against hackers and
malicious users is knowledge, applied in a timely manner.
Where can I read more about this?
An excellent source of information is Rootshell, a
catch-all site which warehouses literally hundreds of known exploits and hacker programs.
Rootshell comes complete with a very nice search utility which should make finding specific
information simple. Another wonderful source for information on exploits and Denial of Service
attacks is the ircHelp site. To keep abreast of existing and emerging Denial of Service
attacks, and other security threats, visit the
Microsoft Security Advisor, the
Windows Central Bug Site and/or CERT. If information
on a specific attack is not located on these sites, keep checking back as they
are updated frequently.
Often times, it is necessary to consort with the enemy when trying to research various security
threats. Some very nice hacker sites include AntiOnline,
Phrack and 2600. A
comprehensive listing of "underground", or hacker, sites may be found on the
COAST web site.
As always, it is a good idea to do some research for new sites that may be created. A search on
keyword "hacker" or "exploits" on any Internet search engine should yield an abundance of sites
dealing with both security and exploits/Denial of Service attacks.