NT Login DOS

Summary
Description:Uh-Oh! NT isn't correctly checking its input. By sending an SMB logon request with an incorrect data length field you can blue screen the NT box.
Author:"Secure Networks Inc." <sni@SECURENETWORKS.COM>
Compromise:Yet another NT DOS attack
Vulnerable Systems:Windows NT 4.0 up to and including Service Pack 3
Date:14 February 1998
Notes:It shouldn't be hard to write a quick exploit for this. Any volunteers? Just hack SAMBA login request code and experiment with different data lengths. If you do write one, please mail it to me (fyodor@nmap.org).
Details


Date: Sat, 14 Feb 1998 16:34:51 -0700
From: "Secure Networks Inc." <sni@SECURENETWORKS.COM>
To: BUGTRAQ@NETSPACE.ORG
Subject: SNI-25: Windows NT Denial of Service

It is not customary for Secure Networks Inc. to release advisories on
weekends, however a fix for the problem within this advisory was made
available on Friday, February 13.

-----BEGIN PGP SIGNED MESSAGE-----

                        ######    ##   ##    ######
                        ##        ###  ##      ##
                        ######    ## # ##      ##
                            ##    ##  ###      ##
                        ###### .  ##   ## .  ######.

                            Secure Networks Inc.

                             Security Advisory
                             February 14, 1998

                    Windows NT Logon Denial of Service


This advisory addresses a denial of service attack which can be launched
against Microsoft Windows NT servers.  When launched, this attack results
in a "Blue Screen", causing the Windows NT system to reboot.  This
vulnerability affects Windows NT systems, including systems which have
installed Service Pack 3 and all hotfixes.


Problem Description
~~~~~~~~~~~~~~~~~~~

Windows NT utilizes the SMB/CIFS protocol for network file sharing and
other communications.  To access the SMB/CIFS service on a Windows NT
system, a logon request is initiated.  Due to incorrect processing of
the SMB logon packet, memory corruption occurs within the Windows NT
kernel.  As a result of corruption, a "Blue Screen" occurs, and the
system reboots, and in some instances hangs on this screen.

This attack can be launched without a valid login and password, since
corruption occurs during processing of the logon request.


Technical Details
~~~~~~~~~~~~~~~~~

An SMB logon packet contains the following data:

  - Username
  - Password
  - Operating system
  - Lan Manager type
  - Domain

The SMB logon request contains the size of data which follows.  When the
size of data which is specified in the request does not correspond to the
size of data which is actually present, corruption occurs.


Impact
~~~~~~

Malicious users can launch denial of service attacks against Microsoft
Windows NT systems.


Vulnerable Systems
~~~~~~~~~~~~~~~~~~

Systems which have shown to be vulnerable to this attack include the
following:

 - Windows NT 4.0
 - Windows NT 4.0 with SP3 installed
 - Windows NT 4.0 with SP3 and hotfixes installed


Fix Information
~~~~~~~~~~~~~~~

Microsoft has issued a patch for Windows NT to solve this problem at
the following location:

ftp site : ftp.microsoft.com
directory: /bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP3/srv-fix


Additional Information
~~~~~~~~~~~~~~~~~~~~~~

To the best of our knowledge no program to exploit this problem has been
made publicly availible.

For additional information see Microsoft Knowledge Base article Q180963.

This problem was discovered by Oliver Friedrichs <oliver@securenetworks.com>

You can browse our web site at http://www.secnet.com

You can subscribe to our security advisory mailing list by sending mail to
majordomo@secnet.com with the line "subscribe sni-advisories"

You can find Secure Networks papers at ftp://ftp.secnet.com/pub/papers
and advisories at ftp://ftp.secnet.com/advisories

You can contact Secure Networks Inc. at <sni@secnet.com> using
the following PGP key:

Type Bits/KeyID    Date       User ID
pub  1024/9E55000D 1997/01/13 Secure Networks Inc. <sni@secnet.com>
                              Secure Networks <security@secnet.com>

- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3ia

mQCNAzLaFzIAAAEEAKsVzPR7Y6oFN5VPE/Rp6Sm82oE0y6Mkuof8QzERV6taihn5
uySb31UeNJ4l6Ud9alOPT/0YdeOO9on6eD1iU8qumFxzO3TLm8nTAdZehQSAQfoa
rWmpwj7KpXN/3n+VyBWvhpBdKxe08SQN4ZjvV5HXy4YIrE5bTbgIhFKeVQANAAUR
tCVTZWN1cmUgTmV0d29ya3MgSW5jLiA8c25pQHNlY25ldC5jb20+iQCVAwUQM1yd
EB/bLKAOe7p9AQFptAQAiYpaZCpSmGgr05E698Z3t5r5BPAKUEtgvF53AvZUQLxz
ZsYsVU5l5De0qKWJOQ/9LiDyWu1lvKhlTphbLy2RatWD4kO3oQL9v3TpSXm2WQhU
uIzyZvj7S5ENodNnKn+gCDIvbou6OMot+7dRbWWgN2oabbru4CSlOxbG++yaTz+J
AJUDBRAzTefbtOXez5VgyLkBAd0bA/43eGEgvPOFK+HHWCPpkSWCwtrtDU/dxOVz
9erHnT/CRxeojCI+50f71Qe+kvx9Q1odz2Jl/fLxhnPQdbPnpWblIbu4F8H+Syrj
HTilDrl1DWa/nUNgK8sb27SMviELczP1a8gwA1eo5SUCG5TWLLTAzjWOgTxod2Ha
OwseUHmqVIkAlQMFEDNOVsr/d6Iw8NVIbQEBxM0D/14XRfgSLwszgJcVbslMHm/B
fF6tHoWYojzQle3opOuMYHNN8GsMZRkc1qQ8QuNA9Aj5+qDqEontGjV5IvhBu1fY
FM77AhagskaFCZxwqV64Qrk328WDO89NGSd+RuovVNruDdn20TxNCEVuPTHjI0UA
8H+E6FW9jexg6RTHhPXYtCVTZWN1cmUgTmV0d29ya3MgPHNlY3VyaXR5QHNlY25l
dC5jb20+iQCVAwUQMtqTKB/bLKAOe7p9AQFw5wQAgUwqJ+ZqfEy/lO1srU3nzxLA
X0uHGHrMptRy/LFo8swD6G1TtWExUc3Yv/6g2/YK09b5WmplEJ+Q09maQIw+RU/s
cIY+EsPauqIq4JTGh/Nm0Z4UDl2Y1x4GNtm0YqezxUPS0P0A3LHVLJ3Uo5og0G8O
gPNrfbVz5ieT14OSCWCJAJUDBRAy2hd2/3eiMPDVSG0BAVNhBACfupfAcNhhnQaq
aI03DOOiZSRjvql1xw4V+pPhM+IksdSK3YNUZVJJtANacgDhBT+jAPRaYbBWI3A5
ZMdcSNM8aTG0LWMLIOiOYEm6Lgd3idRBFN0Js08eyITl8mhZ33mDe4I0KQri9UiV
ZcPYTbb9CWM6Hv2cMbt6S6kLnFziqIkAlQMFEDLaF0+4CIRSnlUADQEBCLoEAJwt
UofDgvyZ4nCDx1KKAPkkXBRaPMWBp46xeTVcxaYiloZfwHfpk1h2mEJAxmAsvizl
OtIppHl4isUxcGi/E2mLCLMvis22/IQP/9obPahPvgNaMLVtZljO1Nv3QFEkNciL
FEUTNJHR1ko7ibCxkBs4cOpirFuvTMDvWnNaXAf8
=DchE
- -----END PGP PUBLIC KEY BLOCK-----

Copyright Notice
~~~~~~~~~~~~~~~~
The contents of this advisory are Copyright (C) 1998 Secure Networks Inc,
and may be distributed freely provided that no fee is charged for
distribution, and that proper credit is given.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBNOYhG7gIhFKeVQANAQFu5QP/ezhbsUG5vZMu2stCRTCb4mCVYA/xWNS2
GNW8az+x7hTi+Hf02IHdDrpeA9urdMfqdYAPo0W41qCkF3vzoQXPKPcDdxZV2ySC
yJs47AaVrkswzS5nFGcE3sKN5XtBPKzadx5dmL4xSI4gkv9y+Bc4EgAZNuJRJlwH
E91HYZesX2E=
=w29Q
-----END PGP SIGNATURE-----

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: