COMMAND

    MSTask.exe

SYSTEMS AFFECTED

    WinNT 4.0

PROBLEM

    Ilia Sprite found  following.  MSTask.exe  is an application  that
    ships with the Windows NT 4.0.  A strange behavior was  discovered
    in the MSTask.exe code.   If exploited, this vulnerability  allows
    and attacker to slow down  vulnerable Windows NT and sometimes  to
    freeze it.

    It appears, from testing done, that MSTask.exe, usually  listening
    on TCP 1026 (or some high  port) will cause memory to be  consumed
    if it is connected to and  some random characters are sent to  it.
    After such a connection, eventually the machine will freeze.   The
    only solution appears to be a reboot.

    MSTask.exe, however, only  permits connections via  the localhost,
    or 127.0.0.1,  so on  most systems  such an  attack would  have to
    originate from someone at  the console (or connected  via Terminal
    Server).

    However, if WinGate  or Winproxy installed  on the system,  system
    becames vulnerable for remote attackers, because they can  connect
    to system's 1026 tcp port via wingate or winproxy, and  connection
    will be accepted.

    To  reproduce  the  problem,  use  Winnt  4.0 Workstation.  Do the
    following:

        1. Start telnet.exe
        2. Menu->Connect->Remote System=127.0.0.1 , Port=1026
        3. Press 'Connect' button
        4. When it is connects, type some random characters and  press
           enter.
        5. Close telnet.exe.

    Now  you  can  see  in  taskmanager,  that  CPU usage is near 100%
    because  of  MSTask.exe.   Sometimes  (not  always)  system halts,
    sometimes  MStask.exe  listens  on  1027  port or higher.  Windows
    2000 Enterprise Server  has MSTask.exe and  listens at 1026  port.
    MSTASK.EXE is evident on Windows 98 SE.  WinME also has MSTask.exe
    also in \Windows\System, but it doesn't seem to be vulnerable.

    That MSTASK  is a  task scheduler  can be  verified by opening the
    C:\WINDOWS\HELP\MSSTASK.CHD file, or  looking at the  ASCII inside
    C:\WINDOWS\SYSTEM MSTASK.EXE or MSTASK.DLL.

    In MSTASK.CHD there  is a helpful  note on how  to view and  alter
    scheduled tasks on (from) remote  computers.  This should be  very
    helpful for  administrators, worms  and exploiters.   This  method
    relies on the  PWL files for  security.  One  can move the  MSTASK
    files into a holding area, such as \WINDOWS\GARBAGE (then compress
    it, like ZIP, to remove obvious traces from hostile file searches.
    Better still, make a Zip  drive of removed garbage, kept  for when
    Windows  crashes  next.   One  system  had  these  elements in the
    Registry:

        [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
        "SchedulingAgent"="mstask.exe"

        [HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}\InProcServer32]
        @="C:\\ND\\SYSTEM\\mstask.dll"

        [HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}\InProcServer32]
        @="C:\\ND\\SYSTEM\\mstask.dll"

        [HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{148BD520-A2AB-11CE-B11F-00AA00530503}\DefaultIcon]
        @="C:\\ND\\SYSTEM\\mstask.dll,-101"

        [HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{148BD520-A2AB-11CE-B11F-00AA00530503}\InProcServer32]
        @="C:\\ND\\SYSTEM\\mstask.dll"

        [HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{255b3f60-829e-11cf-8d8b-00aa0060f5bf}\DefaultIcon]
        @="C:\\ND\\SYSTEM\\mstask.dll,-102"

        [HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{255b3f60-829e-11cf-8d8b-00aa0060f5bf}\InProcServer32]
        @="C:\\ND\\SYSTEM\\mstask.dll"

        [HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\DefaultIcon]
        @="C:\\ND\\SYSTEM\\mstask.dll,0"

        [HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32]
        @="C:\\ND\\SYSTEM\\mstask.dll"

        [HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{D6277990-4C6A-11CF-8D87-00AA0060F5BF}\DefaultIcon]
        @="C:\\ND\\SYSTEM\\mstask.dll,-100"

        [HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{D6277990-4C6A-11CF-8D87-00AA0060F5BF}\InProcServer32]
        @="C:\\ND\\SYSTEM\\mstask.dll"

    It  is  important  to  note  that  schedule.exe  (on  NT4) will be
    upgraded  to  Task  Scheduler  when  the  Offline Browsing Pack is
    installed during IE5.x setup.  The same will happen with IE4.x  if
    you download  the Task  Scheduler component.   You can  avoid  the
    upgrade by choosing not to install the Offline Browsing Pack  (NT4
    only).   However, you  will not  be able  to synchronize web pages
    for offline reading.

    To cover all bases, yes Task Scheduler is used for more than  just
    scheduled  web  synchronizations.   The  Microsoft Critical Update
    Notification,  PCHealth,  Tune-Up,  etc.  automatically   schedule
    themselves  too.   Win98  and  newer  will  automatically use Task
    Scheduler for these things.

    MSTASK.EXE is installed by IE5.   It is in fact a replacement  for
    the task scheduler, originally the scheduler service.  It  changes
    the registry of the service from Scheduler to Task Scheduler,  and
    switches itself to auto.

    MSTask.exe, however, only  permits connections via  the localhost,
    or 127.0.0.1,  so on  most systems  such an  attack would  have to
    originate from someone at  the console (or connected  via Terminal
    Server).

    However, if WinGate  or Winproxy installed  on the system,  system
    becames vulnerable for remote attackers, because they can  connect
    to system's 1026 tcp port via wingate or winproxy, and  connection
    will be accepted.

SOLUTION

     Any updates for this information available at

        http://www.securityelf.net/exploit.mstask.e.php4

    Tests done by  Marty Reed showed  that Win2000 (all  versions) are
    bug free as for the above.