mailing list archives
New DOS exploit for NT and Win95 (CONFIRMED?)
From: aleph1 () DFW NET (Aleph One)
Date: Thu, 8 Jan 1998 10:05:58 -0600
---------- Forwarded message ----------
Date: Thu, 08 Jan 1998 01:52:43 -0700
From: Jiva DeVoe <jiva () devware com>
To: ntsecurity () iss net
Subject: [NTSEC] New DOS exploit for NT and Win95 (CONFIRMED)
This is just an FYI. I have confirmed and reproduced a new Denial of
Service exploit for Windows NT and Windows95. Under Windows NT this
exploit causes a proverbial BSOD, under Windows95, this causes an
exception in IFSMGR.VXD.
This exploit has been reported to Microsoft!
Without putting out a blueprint of how to cause this. This is a
modified teardrop attack. (NOTE: This DOES affect machines patched
against teardrop) It utilizes UDP packets with altered headers. I have
also provided Microsoft with source code to this exploit.
Any workaround that would have been implemented against teardrop should
work against this issue. By default, the UDP packets used in this
exploit are aimed at very high port numbers. So perhaps by blocking UDP
packets destined for high port numbers, you might be able to prevent
this attack. However, since it can be aimed at any port, a clever user
could get around filters such as this. I'd be happy to talk to anyone
about other alternatives for working around this issue.
Please feel free to repost this to NTBUGTRAQ (I'm not on that list) or
wherever else you choose.
jiva () devware com