[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

WIN : Access Violation in DNS.EXE Caused by Malicious Telnet Attack]

To: Multiple recipients of list <uci-winnt@uci.edu>
Subject: WIN : Access Violation in DNS.EXE Caused by Malicious Telnet Attack]
From: "Dan STROMBERG" <STROMBRG@uci.edu>
Date: Wed, 11 Jun 1997 14:49:30 -0700
Reply-to: STROMBRG@uci.edu
Sender: uci-winnt@uci.edu

This is a multi-part message in MIME format.

--------------6EF56B944B5C
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

There are more general forms of this attack.

--------------6EF56B944B5C
Content-Type: message/rfc822
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Received: from hydra.acs.uci.edu by nis.acs.uci.edu (8.8.5) id XAA06263; Tue, 10 Jun 1997 23:00:43 -0700 (PDT)
Received: from brimstone.netspace.org (brimstone.netspace.org [128.148.157.143]) by hydra.acs.uci.edu (8.8.5/8.7.1) with ESMTP id XAA22432; Tue, 10 Jun 1997 23:00:33 -0700 (PDT)
Received: from netspace.org ([128.148.157.6]) by brimstone.netspace.org with ESMTP id <34424-15688>; Wed, 11 Jun 1997 00:37:27 -0400
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with
          spool id 4158731 for BUGTRAQ@NETSPACE.ORG; Wed, 11 Jun 1997 00:19:57
          -0400
Received: from brimstone.netspace.org (brimstone [128.148.157.143]) by
          netspace.org (8.8.5/8.8.2) with ESMTP id AAA18008 for
          <BUGTRAQ@netspace.org>; Wed, 11 Jun 1997 00:18:08 -0400
Received: from netspace.org ([128.148.157.6]) by brimstone.netspace.org with
          ESMTP id <33485-15689>; Wed, 11 Jun 1997 00:22:44 -0400
Approved-By: aleph1@UNDERGROUND.ORG
Received: from dfw.dfw.net (aleph1@dfw.dfw.net [198.175.15.10]) by netspace.org
          (8.8.5/8.8.2) with SMTP id TAA16112 for <bugtraq@netspace.org>; Tue,
          10 Jun 1997 19:25:32 -0400
Received: from localhost by  dfw.dfw.net (4.1/SMI-4.1) id AA13602; Tue, 10 Jun
          97 18:31:54 CDT
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.SUN.3.94.970610183119.12910E-100000@dfw.dfw.net>
Date: 	Tue, 10 Jun 1997 18:31:53 -0500
Reply-To: Aleph One <aleph1@dfw.net>
Sender: Bugtraq List <BUGTRAQ@netspace.org>
From: Aleph One <aleph1@dfw.net>
Subject:      Q169461: Access Violation in DNS.EXE Caused by Malicious Telnet
              Attack
To: BUGTRAQ@NETSPACE.ORG

DOCUMENT:Q169461    [winnt]
TITLE: Access Violation in DNS.EXE Caused by Malicious Telnet Attack
PRODUCT: Microsoft Windows NT
PROD/VER:4.00
OPER/SYS:WINDOWS
KEYWORDS:kbbug4.00 kbnetwork NTSrv nttcp

--------------------------------------------------------------------------
The information in this article applies to:

 - Microsoft Windows NT Server version 4.0
--------------------------------------------------------------------------

SYMPTOMS
========

You may receive an Access Violation in Dns.exe. This is most often occurs
on computers connected to public networks, such as the Internet, where
deliberate attacks are common.

CAUSE
=====

This particular attack is usually generated maliciously by typing the
following command on the attacking system:

   telnet <mycomputer> 19 | telnet <mycomputer> 53

This command causes a telnet connection to be established to port 19 (the
chargen service, which generates a string of characters) with the output
redirected to a telnet connection to port 53 (the DNS service.) This flood
of characters causes an Access Violation in the DNS service, which is
terminated, disrupting name resolution services.

RESOLUTION
==========

The Microsoft DNS Server has been modified to to correct this problem.
Obtain the following fix or wait for the next Windows NT service pack.

This hotfix has been posted to the following Internet location:

   ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/
   hotfixes-postSP3/dns-fix

STATUS
======

Microsoft has confirmed this to be a problem in Windows NT version 4.0.
A supported fix is now available, but has not been fully regression-tested
and should be applied only to systems experiencing this specific problem.
Unless you are severely impacted by this specific problem, Microsoft
recommends that you wait for the next Service Pack that contains this fix.
Contact Microsoft Technical Support for more information.

Additional reference words: 4.00 prodnt denial of service dns telnet port
53

============================================================================

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND.  MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  IN NO
EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR
ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.  SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
SO THE FOREGOING LIMITATION MAY NOT APPLY.


--------------6EF56B944B5C--

Prev by Date: WIN : Bad Network Packet May Cause Access Violation (AV) on DNS Server]
Next by Date: WIN : Predictable Query IDs Pose Security Risks for DNS Servers]
Previous by thread: WIN : Bad Network Packet May Cause Access Violation (AV) on DNS Server]
Next by thread: WIN : Predictable Query IDs Pose Security Risks for DNS Servers]
Index(es):
- Date
- Thread