COMMAND

    SMB crash

SYSTEMS AFFECTED

    Win NT 4.0

PROBLEM

    Following info is mostly based on Secure Networks SNI-25 Advisory.
    Windows  NT  utilizes  the  SMB/CIFS  protocol  for  network  file
    sharing and other communications.  To access the SMB/CIFS  service
    on a  Windows NT  system, a  logon request  is initiated.   Due to
    incorrect processing  of the  SMB logon  packet, memory corruption
    occurs within the Windows NT kernel.  As a result of corruption, a
    "Blue  Screen"  occurs,  and  the  system  reboots,  and  in  some
    instances  hangs  on  this  screen.   This  attack can be launched
    without a valid login and password, since corruption occurs during
    processing of the logon request.   As symptoms you can see one  of
    the following errors:

        STOP 0x0000000A
        STOP 0x00000050

    An SMB logon packet contains the following data:

        - Username
        - Password
        - Operating system
        - Lan Manager type
        - Domain

    The SMB  logon request  contains the  size of  data which follows.
    When the size of data which  is specified in the request does  not
    correspond  to  the  size  of  data  which  is  actually  present,
    corruption  occurs.   This   problem  was  discovered  by   Oliver
    Friedrichs and paralelly by ISS member Jose Rodriguez.

SOLUTION

    Microsoft has issued a patch for Windows NT to solve this problem
    at the following location:

        ftp.microsoft.com
        /bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP3/srv-fix