COMMAND
kernel
SYSTEMS AFFECTED
Windows NT 4.0 SP6a + with or without HOT Fixes + SynAttackProtect set
PROBLEM
'NtWaK0' found following. After spending many hours re-installing
and ghosting and testing and going NUTS to find out his 2 of his
NT boxes crashed...
He noticed like a month ago or so 2 of my NT 4.0 boxes start to
crash for unknown reason (When he was on IRC) never had a crash
problem Registry settings for maximum protection from network
attack before. Sure his registry is modified and to start
debugging the stuff was a task.
The following registry settings will help to increase the JOY.
The crash lead to ON/OFF button. The testes he has done lead us
to find the correct registry KEY yes JOY after hours he was able
to repeat and found the exact setting.
Here is some background information from Microsoft site:
http://www.microsoft.com/TechNet/security/dosrv.asp
- Security Considerations for Network Attacks
- Registry settings for maximum protection from network attack
The following registry settings will help to increase the
resistance of the NT or Windows 2000 network stack to network
denial of service attacks:
SynAttackProtect
Key: Tcpip\Parameters
Value Type: REG_DWORD
Valid Range: 0, 1, 2
0 (no synattack protection)
1 (reduced retransmission retries and delayed RCE (route cache
entry) creation if the TcpMaxHalfOpen and TcpMaxHalfOpenRetried
settings are satisfied.)
2 (in addition to 1 a delayed indication to Winsock is made.)
What 'NtWaK0' found out Setting the value to 1 or 2 and sending
TCP Prediction attack using cybercop module 13002 will Crash NT,
and the only way to reboot is TURN OFF/ON.
To reproduce the Attach.
1. Install NT 4.0
2. Apply All the Hot fixes Suggest By Microsoft (with or
without Hot fixes)
3. Open Regedt32 or regedit
4. Go to [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
5. Add or Change the key "SynAttackProtect" make is 1 or 2
6. The Value Type: REG_DWORD, Valid Range: 0, 1, 2
7. The full syntax will be "SynAttackProtect"=dword:00000002
8. Close the regedt32 or regedit
9. Reboot
10. Run a TCP sequence numbers prediction attack
11. Hint if you have Cybercop scanner it is /// * MODULE 13002
* or code your own J
'NtWaK0' start some test like stopping BlackICE, changing IRC
client etc. hrmm nothing helped to stopped the daily crash. It
happened like 2 or 3 times a day / night. 'NtWaK0' decide to scan
the machine using cyberCop.
After scanning the remote box using just /// * MODULE 13002 * \\\,
the Box sure Crashed.
Rebooted the remote box and then start to think HO HO...After
thinking / testing stuff 'NtWaK0' found the module that cause the
CRASH.
/// * MODULE 13002 * \\\
This MODULE use mod13000.dll. Here is a bit of information on it.
Here is the Module description taken from CyberCop:
13002 TCP sequence numbers are predictable
Risk Factor: High
Complexity: Medium
Fixease: Moderate
Popularity: Popular
Rootcause: Implementation
Impact:
Accountability: Authorization The host generates TCP sequence
numbers in a pattern which can be guessed by an intruder to launch
TCP spoofing based attacks.
The FUNNY part is cybercop will return NOT VULNERABLE. HO HO but
it just kill the darn box. Here is what CyberCop report say while
running the mentioned module:
DBG:: <Tue Nov 21 15:47:26 2000 >[REMOTEIP] HID=1 VID=13002 module_started
DBG:: <Tue Nov 21 15:47:47 2000>[REMOTEIP] HID=1 VID=13002 module_finished
Not Vulnerable
DBG:: <Tue Nov 21 15:47:26 2000 >[REMOTEIP] HID=1 VID=13002 host_finished.
SOLUTION
If you follow MS paper and you have changed the VALUE from 0 to 1
or 2 change it to 0. Setting 0 will keep your NT box safe from
this attack. But it does not go with MS paper so it is a choice
you have to take, hell life is full of choices and stuff right.