COMMAND

    kernel

SYSTEMS AFFECTED

    Win2000

PROBLEM

    Following  is  based  on  a  FSC  Internet  Corp./SecureXpert Labs
    Advisory.  Multiple ports and protocols on Microsoft Windows  2000
    Server are  susceptible to  a simple  network attack  which raises
    CPU utilization on Windows 2000 Server to 100%.

    Multiple  services  on  Windows  2000  Server  are vulnerable to a
    simple attack which allows remote  network users to drive the  CPU
    utilization  to  100%  in  an  extremely  short period of time, at
    little cost to the attacker's machine.  The ports that were  found
    vulnerable include TCP ports 7, 9, 21, 23, 7778 and UDP ports  53,
    67, 68, 135, 137, 500, 1812, 1813, 2535, 3456.

    While  this  attack  does  not  cause  an  immediate lockup of the
    machine, it does cause  excessive CPU resource utilization  on the
    target machine.

    This can  easily be  reproduced from  a Linux  system using netcat
    with an input of /dev/zero, with a command such as

        nc target.host 7 < /dev/zero

    for the TCP variant or

        nc -u target.host 53 < /dev/zero

    for  the  UDP  variant.   Due  to  the  large  number  of services
    affected,  this  could  likely  allow   a  very  quick  and   easy
    distributed attack.

    Some initial results (tested locally on a LAN) are:
    Using:

        % nc -u <host> 135 < /dev/zero

    Results:

        Win2k                = 100% CPU for duration of attack
        NT4                  = 55%  CPU for duration
        NT4 + MS00-029 patch = No effect

    The effect  of the  Jolt2 patch  and tcpdump  output indicate that
    this is a fragmentation attack variation.

SOLUTION

    Microsoft Corp. has been  informed of this vulnerability,  and has
    assigned it incident ID# [MSRC  291].  SecureXpert Labs staff  are
    working with Microsoft to reproduce the vulnerability and  prepare
    a fix.