SecurityvulnsSECURITYVULNS:DOC:801Denial of Service attack against computers running Microsoft NetMeeting
Diversified Software Industries, Inc.
www.dsi-inc.net/dsi
Security Advisory
October 16, 2000
Denial of Service attack against computers running Microsoft NetMeeting
- Description
- Steps to reproduce (exploit)
- Vendor status and solution
- Disclaimer
- Credits
- About DSI
- Description
NetMeeting is a free software product from Microsoft which allows realtime
audio/video conferencing among peer computers. NetMeeting also contains a
component known as Remote Desktop Sharing (RDS). RDS allows a technician to
take remote control of computers for troubleshooting, etc. RDS has some uses
which are similar to (but more limited than) Terminal Services, pcAnywhere,
etc.
The exploit below has been tested against the current version of NetMeeting
3.01 which ships with Windows 2000. It has been tested on Windows 95, NT 4
Workstation and Server SP5/6, and Windows 2000 Workstation and Server SP1.
It has been tested against computers with either modem or ethernet
connections.
- Steps to reproduce (exploit)
In this example, my.unix.box.com represents the attacker, and
hapless.victim.com represents the computer running NetMeeting in either
client or RDS mode.
Assuming you already have netcat installed on my.unix.box.com, enter the
following command line:
nc hapless.victim.com 1720 < /dev/zero
At this point, CPU usage on the victim machine becomes elevated, depending
on the speed of both machines, and the speed of the link between them.
Now, terminate the netcat command with ^C. At this point, CPU on the victim
machine hits 100% and stays there. If NetMeeting is running in client mode,
it can (eventually) be terminated via the Task Manager on Windows 2000 or
NT. If RDS is active, it may be necessary to use another tool (such as
HandleEx) to terminate the RDS service; Task Manager may not have access to
this process.
If you are using RDS for remote server management, you may now need to make
a road trip to the remote computer to restore functionality.
- Vendor status and solution
Microsoft has released a patch for Windows 2000. Microsoft's bulletin is
available at http://www.microsoft.com/technet/security/bulletin/MS00-077.asp
NOTE: At this time, there are some issues with the NT 4.0 patch installer.
Microsoft is working to fix these issues, and an updated installer should be
available when complete.
- Disclaimer
The information in this advisory is believed to be accurate. No warranty is
given, express or implied. Neither the author nor the publisher accepts any
liability whatsoever for any use of this information, nor do we condone the
use of this information for unethical purposes.
- Credits
We would like to acknowledge Microsoft for their efforts to fix this
problem. Also, we would like to acknowledge SecureXpert Labs for their
advisory SX-20000620-2 (see also MS00-050) which pointed out other Microsoft
services potentially vulnerable to /dev/zero attacks.
- About DSI
Diversified Software Industries, Inc. is an Iowa City/Coralville, Iowa-based
company that develops and markets software for the graphical representation
of data in vehicles. In addition, DSI markets custom software development
and project management skills to firms in the over-the-road transportation
marketplace. These custom solutions provide back office and on-vehicle
wireless messaging management, as well as dispatching and resource tracking
systems.
You can find more information about DSI at www.dsi-inc.net/dsi