FSC Internet Corp. / SecureXpert Labs

SecureXpert Labs Advisory [SX-20000620-2] - Multiple ports/protocols
partial Denial of Service in Microsoft Windows 2000 Server

Summary

Multiple ports and protocols on Microsoft Windows 2000 Server are susceptible
to a simple network attack which raises CPU utilization on Windows 2000
Server to 100%.

Details

Multiple services on Windows 2000 Server are vulnerable to a simple attack which
allows remote network users to drive the CPU utilization to 100% in an
extremely short period of time, at little cost to the attacker's machine.

The ports that were found vulnerable include TCP ports 7, 9, 21, 23, 7778
and UDP ports 53, 67, 68, 135, 137, 500, 1812, 1813, 2535, 3456.

While this attack does not cause an immediate lockup of the machine, it
does cause excessive CPU resource utilization on the target machine.

This can easily be reproduced from a Linux system using netcat with an input
of /dev/zero, with a command such as "nc target.host 7 < /dev/zero" for the
TCP variant or "nc -u target.host 53 < /dev/zero" for the UDP variant.

Due to the large number of services affected, this could likely allow a
very quick and easy distributed attack

Status

Microsoft Corp. has been informed of this vulnerability, and has assigned it
incident ID# [MSRC 291].  SecureXpert Labs staff are working with
Microsoft to reproduce the vulnerability and prepare a fix.

Credits

Mike Murray, SecureXpert Labs
Max Degtyar, SecureXpert Labs
Richard Reiner, SecureXpert Labs

About SecureXpert DIRECT

SecureXpert DIRECT is an advance security advisory service provided by
SecureXpert Labs.  Subscriptions are free of charge and may be obtained
online at http://www.securexpert.com/services.html.