From sxdirect@SECUREXPERT.COM Wed Aug 2 02:35:05 2000 From: SecureXpert DIRECT Sender To: BUGTRAQ@SECURITYFOCUS.COM Date: Fri, 30 Jun 2000 16:20:55 -0400 Subject: SecureXpert Advisory [SX-20000620-2] FSC Internet Corp. / SecureXpert Labs SecureXpert Labs Advisory [SX-20000620-2] - Multiple ports/protocols partial Denial of Service in Microsoft Windows 2000 Server Summary Multiple ports and protocols on Microsoft Windows 2000 Server are susceptible to a simple network attack which raises CPU utilization on Windows 2000 Server to 100%. Details Multiple services on Windows 2000 Server are vulnerable to a simple attack which allows remote network users to drive the CPU utilization to 100% in an extremely short period of time, at little cost to the attacker's machine. The ports that were found vulnerable include TCP ports 7, 9, 21, 23, 7778 and UDP ports 53, 67, 68, 135, 137, 500, 1812, 1813, 2535, 3456. While this attack does not cause an immediate lockup of the machine, it does cause excessive CPU resource utilization on the target machine. This can easily be reproduced from a Linux system using netcat with an input of /dev/zero, with a command such as "nc target.host 7 < /dev/zero" for the TCP variant or "nc -u target.host 53 < /dev/zero" for the UDP variant. Due to the large number of services affected, this could likely allow a very quick and easy distributed attack Status Microsoft Corp. has been informed of this vulnerability, and has assigned it incident ID# [MSRC 291]. SecureXpert Labs staff are working with Microsoft to reproduce the vulnerability and prepare a fix. Credits Mike Murray, SecureXpert Labs Max Degtyar, SecureXpert Labs Richard Reiner, SecureXpert Labs About SecureXpert DIRECT SecureXpert DIRECT is an advance security advisory service provided by SecureXpert Labs. Subscriptions are free of charge and may be obtained online at http://www.securexpert.com/services.html.