Very Computer

>I'm no authority on this, but it appears that there is a "utility" in
samba
>which will crash a Windows box. It uses its elevated privleges (becuase
>you usually set up samba as a server and a peer to another real NT box)
>to flood the NT box with RPC connections and eventually causing the
>SERVICES.EXE to give up.

> This is something different having to do with RPC and/or LSA, I believe.

> Here is a link to the original CRSS posting of the problem and reprod.
> details:
> http://ntbugtraq.ntadvice.com/default.asp?pid=36&sid=1&A2=
> ind9904&L=NTBUGTRAQ&D=0&F=P&P=2694

> note: wrapped for readability

> The newest post in regards to DoS Samba is here:
> It's recent as it was just posted to NTBugTraq today or yesterday.

> http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=
> ind9908&L=NTBUGTRAQ&P=R2823

> And the Samba people's reply:
> http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=
> ind9908&L=NTBUGTRAQ&P=R3252

> Note: both wrapped for readability

> Chad

> > >I don't know if anyone caught the most recent NTBugTraq post about
> > >smbtorture.

> > >I'm no authority on this, but it appears that there is a "utility" in
> > samba
> > >which will crash a Windows box. It uses its elevated privleges (becuase
> > >you usually set up samba as a server and a peer to another real NT box)
> > >to flood the NT box with RPC connections and eventually causing the
> > >SERVICES.EXE to give up.

> > If I understand which DOS attack you're referring to, it has been fixed
> > for a couple of months.

> > http://www.microsoft.com/security/bulletins/ms99-021.asp

> > >Again proving that one of the few things linux is good for is hax0rin..

> > >Even their applications that are supposed to bolster support and ease
> > >Linux integration into Windows shops are cracker utilities.

> > ><sigh>

> > >Chad

> >I don't know if anyone caught the most recent NTBugTraq post about
> >smbtorture.

> >I'm no authority on this, but it appears that there is a "utility" in
> samba
> >which will crash a Windows box. It uses its elevated privleges (becuase
> >you usually set up samba as a server and a peer to another real NT box)
> >to flood the NT box with RPC connections and eventually causing the
> >SERVICES.EXE to give up.

> If I understand which DOS attack you're referring to, it has been fixed
> for a couple of months.

> http://www.microsoft.com/security/bulletins/ms99-021.asp

> >Again proving that one of the few things linux is good for is hax0rin..

> >Even their applications that are supposed to bolster support and ease
> >Linux integration into Windows shops are cracker utilities.

> ><sigh>

> >Chad

>    Serious question time (in two rival advocacy groups!  uh oh!):

>    How does it do that?  Does the garbage get in the login
> service's hands and cause it to lock up, or ...?

>> > There's LSASS vulnerability: LSASS crashes when a lot of garbage is
written into IPC$
>> > pipe. NT itself doesn't BSOD, but nobody can logon to the system.
>> > It was fixed in SP5.

>>    Serious question time (in two rival advocacy groups!  uh oh!):

>>    How does it do that?  Does the garbage get in the login
>> service's hands and cause it to lock up, or ...?
>Probably, smthg like that.
>When we ran *cop Scanner "LSASS denial of service" test LSASS was
crashing. There was
>post-SP3 hot fix for that, but it didn't make it into SP4 by mistake.
SP5 has it.

>Boris

> >> > There's LSASS vulnerability: LSASS crashes when a lot of garbage is
> written into IPC$
> >> > pipe. NT itself doesn't BSOD, but nobody can logon to the system.
> >> > It was fixed in SP5.

> >>    Serious question time (in two rival advocacy groups!  uh oh!):

> >>    How does it do that?  Does the garbage get in the login
> >> service's hands and cause it to lock up, or ...?
> >Probably, smthg like that.
> >When we ran *cop Scanner "LSASS denial of service" test LSASS was
> crashing. There was
> >post-SP3 hot fix for that, but it didn't make it into SP4 by mistake.
> SP5 has it.

> >Boris

> I think Chad was referring to the CSRSS problem, both were very close
> together.  As I understood it, the crsss service would wait for an ack
> from it's response and would stop responding, they changed its
> prioritization to prevent occurance.

>  http://www.veryComputer.com/

> Microsoft Security Bulletin (MS99-021)

> Patch Available for "CSRSS Worker Thread Exhaustion" Vulnerability

> Originally Posted: June 23, 1999

> Summary
> Microsoft has released a patch that eliminates a vulnerability in the
> Microsoft? Windows NT? CSRSS process that could be used to create a
> denial of service condition against a machine that allows interactive
> logons.

> Frequently asked questions regarding this vulnerability can be found at
> http://www.veryComputer.com/

> Issue
> If all worker threads in CSRSS.EXE are occupied awaiting user input, no
> other requests can be serviced, effectively causing the server to hang.
> When user input is provided, processing returns to normal. The patch
> eliminates the vulnerability by ensuring that the last CSRSS worker
> thread services only requests that do not require user input.

> The LSA problem was a different issue of the LSA service failing when a
> malformed request was received, forceing a reboot.

> http://www.veryComputer.com/

> Microsoft Security Bulletin (MS99-020)

> Patch Available for "Malformed LSA Request" Vulnerability

> Originally Posted: June 23, 1999
> Revised: Ju1y 20, 1999

> Summary
> Microsoft has released a patch that eliminates a vulnerability that
> poses a denial of service threat to Microsoft? Windows NT? servers and
> workstations. A malformed request to the Local Security Authority (LSA)
> service will causes the service to stop responding, requiring the
> computer to be restarted.

> A fully supported patch is available to eliminate the vulnerability, and
> Microsoft recommends that affected customers download and install it, if
> appropriate.

> But I think this is the one Chad was referring to.  It fits your
> description better

>If anything, it was the LSASS DoS. But I think it's even newer than
that, as
>it was
>a new and recent posting to NTBugTraq.

>Chad

>> >> > There's LSASS vulnerability: LSASS crashes when a lot of garbage
is
>> written into IPC$
>> >> > pipe. NT itself doesn't BSOD, but nobody can logon to the
system.
>> >> > It was fixed in SP5.

>> >>    Serious question time (in two rival advocacy groups!  uh oh!):

>> >>    How does it do that?  Does the garbage get in the login
>> >> service's hands and cause it to lock up, or ...?
>> >Probably, smthg like that.
>> >When we ran *cop Scanner "LSASS denial of service" test LSASS
was
>> crashing. There was
>> >post-SP3 hot fix for that, but it didn't make it into SP4 by
mistake.
>> SP5 has it.

>> >Boris

>> I think Chad was referring to the CSRSS problem, both were very close
>> together.  As I understood it, the crsss service would wait for an
ack
>> from it's response and would stop responding, they changed its
>> prioritization to prevent occurance.

>>  http://www.veryComputer.com/

>> Microsoft Security Bulletin (MS99-021)

>> Patch Available for "CSRSS Worker Thread Exhaustion" Vulnerability

>> Originally Posted: June 23, 1999

>> Summary
>> Microsoft has released a patch that eliminates a vulnerability in the
>> Microsoft? Windows NT? CSRSS process that could be used to create a
>> denial of service condition against a machine that allows interactive
>> logons.

>> Frequently asked questions regarding this vulnerability can be found
at
>> http://www.veryComputer.com/

>> Issue
>> If all worker threads in CSRSS.EXE are occupied awaiting user input,
no
>> other requests can be serviced, effectively causing the server to
hang.
>> When user input is provided, processing returns to normal. The patch
>> eliminates the vulnerability by ensuring that the last CSRSS worker
>> thread services only requests that do not require user input.

>> The LSA problem was a different issue of the LSA service failing when
a
>> malformed request was received, forceing a reboot.

>> http://www.veryComputer.com/

>> Microsoft Security Bulletin (MS99-020)

>> Patch Available for "Malformed LSA Request" Vulnerability

>> Originally Posted: June 23, 1999
>> Revised: Ju1y 20, 1999

>> Summary
>> Microsoft has released a patch that eliminates a vulnerability that
>> poses a denial of service threat to Microsoft? Windows NT? servers
and
>> workstations. A malformed request to the Local Security Authority
(LSA)
>> service will causes the service to stop responding, requiring the
>> computer to be restarted.

>> A fully supported patch is available to eliminate the vulnerability,
and
>> Microsoft recommends that affected customers download and install it,
if
>> appropriate.

>> But I think this is the one Chad was referring to.  It fits your
>> description better

> >I don't know if anyone caught the most recent NTBugTraq post about
> >smbtorture.

> >I'm no authority on this, but it appears that there is a "utility" in
samba
> >which will crash a Windows box. It uses its elevated privleges (becuase
> >you usually set up samba as a server and a peer to another real NT box)
> >to flood the NT box with RPC connections and eventually causing the
> >SERVICES.EXE to give up.

> >Again proving that one of the few things linux is good for is hax0rin..

> >Even their applications that are supposed to bolster support and ease
> >Linux integration into Windows shops are cracker utilities.

> smbtorture is an SMB server tester utility. It was
> designed internally by the Samba Team to test Samba
> complience to the SMB spec and to bug-proof our own code
> against buffer overruns such as the ones now being
> reported in NT.

> It is not mentioned in the Samba documentation, not built
> by default and the Samba Team have never offered any
> information as to its use. We made information on it
> available to all other CIFS vendors who attended the
> last CIFS conference, and many of them now test their
> servers using it.

> When this utility was tested against Windows NT, by the
> Samba Team, *OVER ONE YEAR AGO*, the resulting problems
> were reported *DIRECTLY* to Microsoft and no public announcements
> have *ever* been made by us. We extend to other CIFS
> vendors the same courtesy we would wish to be extended
> to us. The Samba Team has a policy of full disclosure
> of security and DOS bugs (witness our latest CERT
> announcement) but we understand that other vendors do
> not due to their longer development cycle times, and
> respect their decisions.

> Unfortunately it now seems that someone has discovered
> this utility and is making publicity about it. Again,
> we cannot blame the people involved for doing this,
> they must make their own decisions.

> We are not in the business of embarressing Microsoft, we
> have enough of our own bugs to fix and be embarrassed
> about.

> Microsoft have ported smbtorture to Windows NT and
> use it internally as a tester against Windows NT and
> Win2000 systems.

> Regards,

> Jeremy Allison,
> Samba Team.

>I stand corrected.

>However, it would've been better tact to call it
>smbtester or something that implies your true intentions in the matter.

> I'm no authority on this, but it appears that there is a "utility" in samba
> which will crash a Windows box. It uses its elevated privleges (becuase
> you usually set up samba as a server and a peer to another real NT box)
> to flood the NT box with RPC connections and eventually causing the
> SERVICES.EXE to give up.

> Again proving that one of the few things linux is good for is hax0rin..