COMMAND

    NetMeeting

SYSTEMS AFFECTED

    NetMeeting Version 3.01 (4.4.3385) on Windows 2000 or Windows NT 4.0

PROBLEM

    Following is based on a Microsoft Security Bulletin (MS00-077).  A
    remote denial of  service vulnerability has  been discovered in  a
    component of NetMeeting.  The  denial of service can occur  when a
    malicious client  sends a  particular malformed  string to  a port
    which  the  NetMeeting  service  is  listening  on and with Remote
    Desktop Sharing enabled.

    Although the NetMeeting application is provided as part of Windows
    2000  products,  the  application  and  affected  component is not
    enabled by default,  and customers who  have not enabled  it would
    not be at risk from this vulnerability.

    Microsoft thanks  Kirk Corey  of Diversified  Software Industries,
    Inc. for reporting this issue to us and working with us to protect
    customers.  Here is his advisory.

    NetMeeting is a free software product from Microsoft which  allows
    realtime   audio/video   conferencing   among   peer    computers.
    NetMeeting  also  contains  a  component  known  as Remote Desktop
    Sharing (RDS).  RDS allows a technician to take remote control  of
    computers for troubleshooting,  etc. RDS has  some uses which  are
    similar to (but more limited than) Terminal Services,  pcAnywhere,
    etc.

    The exploit below has been  tested against the current version  of
    NetMeeting 3.01 which ships with Windows 2000.  It has been tested
    on Windows 95, NT 4 Workstation and Server SP5/6, and Windows 2000
    Workstation and Server SP1.  It has been tested against  computers
    with either modem or ethernet connections.

    In  this  example,  my.unix.box.com  represents  the attacker, and
    hapless.victim.com represents the  computer running NetMeeting  in
    either  client  or  RDS  mode.   Assuming  you already have netcat
    installed on my.unix.box.com, enter the following command line:

        nc hapless.victim.com 1720 < /dev/zero

    At this point, CPU usage  on the victim machine becomes  elevated,
    depending on the speed of both machines, and the speed of the link
    between them.

    Now, terminate the netcat command with ^C.  At this point, CPU  on
    the victim machine  hits 100% and  stays there.   If NetMeeting is
    running in client mode, it can (eventually) be terminated via  the
    Task Manager on Windows 2000 or NT.   If RDS is active, it may  be
    necessary to use another tool (such as HandleEx) to terminate  the
    RDS service; Task Manager may not have access to this process.

    If you  are using  RDS for  remote server  management, you may now
    need  to  make  a  road  trip  to  the  remote computer to restore
    functionality.

SOLUTION

    Patch availability:

        - Windows 2000 and Windows NT 4.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25029