[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

WIN : Denial of Service attack, and fixes

This is a multi-part message in MIME format.

Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit


Content-Type: text/html; charset=iso-8859-1
Content-Base: "http://www.secant.net/";
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by nis.acs.uci.edu id LAA18485

<BASE HREF=3D"http://www.secant.net/";>

<TITLE>Secant Computing Systems, Incorporated</TITLE>
<FONT FACE=3D"Verdana, Arial" SIZE=3D3>
Microsoft Windows NT and 95 Port 139 Fix - Sunday, May 11, 1997; 7:51 PM =
<FONT SIZE=3D4><B>Background Information and Solutions</B></FONT><BR>
<I>Written by <A HREF=3D"mailto:webmaster@secant.net";>Brett A. Erkman</A>=
<LI><A HREF=3D"#Background">Information about the Port 139 Bug</A>
<LI><A HREF=3D"#WinNT">Windows NT 4.0 Fixes</A>
<LI><A HREF=3D"#Win95">Windows 95 Fixes</A>
<LI><A HREF=3D"#Sniffer">Attack Detection Programs</A>
<A HREF=3D"mailto:webmaster@secant.net";>
<IMG SRC=3D"ad.gif" WIDTH=3D468 HEIGHT=3D60 ALT=3D"Your advertisement her=
e - e-mail webmaster@secant.net!"></A>
<A NAME=3DBackground>
<FONT SIZE=3D3><B>Information about the Port 139 Bug</B></FONT>
 - Courtesy of <A HREF=3D"mailto:bugtraq@netspace.org";>bugtraq@netspace.o=
It is possible to remotely trigger a bug on any Windows 95 or Windows NT =
system which has
rather unpleasant ramifications. =20
It is done by sending OOB (Out Of Band) data to an
established connection with a Windows user.  NetBIOS [139] seems
to be the most effective since this is a part of Windows.  Apparently
Windows doesn't know how to handle OOB, so it panics and crazy things
happen.  Reports have been heard of everything from Windows dropping carr=
to the entire screen turning white.  Windows also sometimes has trouble
handling anything on a network at all after an attack like this.  A
reboot fixes whatever damage this causes.
<FONT SIZE=3D3><B>Windows NT 4.0 Fixes</B></FONT><HR>
There are currently three temporary solutions to the port attack describe=
d above. The first two
disable WINS and should only be used if the user only networks with Dial-=
Up Networking and is
not connected via a local area network. The third solution uses a method =
of filtering ports
to intercept the data going to port 139 and is only possible for use when=
 the computer is a member
of a local area network, since it requires a networking adapter (network =
card) to be present
in the system. If a user is unsure of what their networking configuration=
 is, <B>please</B>
have them contact a system/network administrator for advice.<P>
<B><U>The Kegs Approach</U></B> - Courtesy of <A HREF=3D"kgamard@goodnet.=
com">Keith Gamard</A><BR>
<IMG SRC=3D"network.gif" ALT=3D"Binding Configuration" HEIGHT=3D455 WIDTH=
<LI>Go into Control Panel -> Network -> Bindings Tab
<LI>Drop down the list for "Show Bindings for:" and select "all adapters"
<LI>Find the WAN Wrapper that says "Remote Access WAN Wrapper"
<LI>Expand it so you see WINS Client(TCP/IP)
<LI>Select the WINS Client(TCP/IP) and click the Disable button
<LI>Reboot System
Note: When you log into NT4, you will get a message window that says cert=
      services or drivers didn't start.  This is ok and will happen each =
      you reboot, but shouldn't happen if you log into another account.<P=
<P><HR WIDTH=3D"50%">
<B><U>The [Stang] Approach</U></B> - Courtesy of <A HREF=3D"mikebac@webzo=
ne.net">Mike Bacher</A><BR>
<LI>Go to Control Panel -> Devices
<LI>Scroll down to the bottom of the list and find WINS Client (TCP/IP)
<LI>Click Startup and change it to Disabled, then click Close
<LI>Reboot System
<IMG SRC=3D"device.gif" ALT=3D"Disabling WINS Client" HEIGHT=3D199 WIDTH=3D=
This method accomplishes what the above solution does in a much cleaner m=
atter, for it will only
produce errors if no other protocols are installed.. However, it could pr=
ove disasterous for=20
several users on local
area networks who use the WINS TCP/IP client, so please be careful and ch=
eck with a system
administrator if necessary.
<P><HR WIDTH=3D"50%">
<B><U>The Port Blocking Approach</U></B> - Courtesy of the <A HREF=3D"htt=
EFnet #WindowsNT Ops</A><BR>
Windows NT 4.0 provides an option to filter ports as necessary, which can=
 be used to block
traffic with a destination of port 139. Keep in mind that like the above =
solutions, this method
will negate NetBIOS (particularly nbsession) traffic and could cause unwa=
nted effects.
<LI>Go to Control Panel -> Network -> Protocols -> TCP/IP Protocol and cl=
ick "Properties..."
<LI>In the IP Address tab, click the "Advanced..." button
<LI>In the Advanced TCP/IP Properties dialog box, choose to block port ac=
cess and specify which
ports to leave open for use.
<LI>Click OK out of the Network applet and reboot the system.
<A NAME=3DWin95>
<FONT SIZE=3D3><B>Windows 95 Fixes</B></FONT><HR>
A recent contribution from the Undernet #Windows95 described the followin=
g procedure, which is far better
than the original solution posted below:
<LI>Go to the <B>c:\windows\system</B> directory (where c:\windows is the=
 Windows directory)
<LI>Find the file named <B>vnbt.386</B>
<LI>Rename the file to <B>vnbt.bak</B>
<LI>Reboot the system
This will disable NetBIOS over TCP/IP support, which is the root of the p=
roblem in the first place. The
other parts of the NetBIOS subsystem are left intact, which means that lo=
cal area networks of which the=20
computer is a member of will continue to function, provided TCP/IP is not=
 being used for file sharing.
An additional benefit to this procedure is that no error messages are pro=
duced about unloadable registry
modules. In the event that problems are experienced, simply rename the fi=
le back to <B>vnbt.386</B><P>
The original solution is documented below - thanks to <A HREF=3D"mailto:a=
aronw@pobox.com">discord</A> and <A HREF=3D"mailto:tack@cyber-space.net";>
<LI>Go to the <B>c:\windows\system</B> directory (where c:\windows is the=
 Windows directory)
<LI>Find the file named <B>vnetbios.vxd</B>
<LI>Rename the file to <B>vnetbios.bak</B>
<LI>Reboot the system; warning messages may appear
Please be aware that this may
disrupt other networking components on your system, so please proceed wit=
h caution and simply
rename the file back to vnetbios.vxd if problems are experienced.
<A NAME=3DSniffer>
<FONT SIZE=3D3><B>Attack Detection Programs</B></FONT><HR>
These two small programs will display the hostnames of the systems curren=
tly connected to port
139 on a user's system. Please notify the authors and not Secant Computin=
g Systems if any problems
are experienced - we do not support these programs and will not be held l=
iable for any harm they
cause, although no negative points have been noticed to date.
<LI><A HREF=3D"http://home.earthlink.net/~skream/plisten.zip";>Download</A=
Skream's Port Sniffer, 127 KB or <A HREF=3D"mailto:skream@coca.net";>Conta=
ct</A> the author.
<LI><A HREF=3D"ftp://ftp.devware.com/nukedet/nukedet.zip";>Download</A>
Dr. Bardo's Port Sniffer, 97 KB
<I>Microsoft, Windows NT and Windows 95 are all registered trademarks of=20
<A HREF=3D"http://www.microsoft.com";>Microsoft Corporation</A>.<BR>
Please do not reproduce this page in any form, as the people at <A HREF=3D=
My Desktop</A> have so rudely done.</I>
<TD ALIGN=3Dright WIDTH=3D35%>
<FONT SIZE=3D"1" COLOR=3D"#888888">
<B>Secant Computing Systems, Inc.</B><BR>
13 South Wolf Road, Suite 2132<BR>
Prospect Heights, Illinois 60070<BR>
Voice: 847/803-9976<BR>
E-mail: <A HREF=3D"mailto:webmaster@secant.net";>webmaster@secant.net</A>
<TD WIDTH=3D5%></TD>
<FONT SIZE=3D"1" COLOR=3D"#888888">
Copyright &#169; 1997 Secant Computing Systems, Inc.<br>=20
May not be reproduced in whole or in part without express=20
consent of Secant Computing Systems, Inc.<P>
Best viewed at 800x600 with at least 256 colors.