Windows NT Denial of Service

Reported February 14, 1998 by Secure Networks Inc. (sni@SECURENETWORKS.COM).

Systems Affected

Windows NT 4.0 including Service Pack 3 and hotfixes through February 14, 1998

Description:

This advisory addresses a denial of service attack which can be launched against Microsoft Windows NT servers. When launched, this attack results in a Blue Screen, causing the Windows NT system to reboot. This vulnerability affects Windows NT systems, including systems which have installed Service Pack 3 and all hotfixes.

Windows NT utilizes the SMB/CIFS protocol for network file sharing and other communications. To access the SMB/CIFS service on a Windows NT system, a logon request is initiated. Due to incorrect processing of the SMB logon packet, memory corruption occurs within the Windows NT kernel. As a result of corruption, a Blue Screen occurs, and the system reboots, and in some instances hangs on this screen.

This attack can be launched without a valid login and password, since corruption occurs during processing of the logon request.

Technical Details:

An SMB logon packet contains the following data:
- Username
- Password
- Operating system
- Lan Manager type
- Domain

The SMB logon request contains the size of data which follows. When the size of data which is specified in the request does not correspond to the size of data which is actually present, corruption occurs.

Impact:

Malicious users can launch denial of service attacks against Microsoft Windows NT systems.

Fix:

Microsoft has issued a patch for Windows NT to solve this problem at the following location:
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP3/srv-fix
For additional information see Microsoft Knowledge Base article Q180963.

To learn more about new NT security concerns, subscribe to NTSD.

Credit:
This problem was discovered by Oliver Friedrichs (oliver@securenetworks.com)