Diversified Software Industries, Inc.
www.dsi-inc.net/dsi
Security Advisory
October 16, 2000
Denial of Service attack against computers running Microsoft NetMeeting
NetMeeting is a free software product from Microsoft which allows realtime
audio/video conferencing among peer computers. NetMeeting also contains a
component known as Remote Desktop Sharing (RDS). RDS allows a technician to
take remote control of computers for troubleshooting, etc. RDS has some uses
which are similar to (but more limited than) Terminal Services, pcAnywhere,
etc.
In this example, my.unix.box.com represents the attacker, and
hapless.victim.com represents the computer running NetMeeting in either
client or RDS mode.
Assuming you already have netcat installed on my.unix.box.com, enter the
following command line:
nc hapless.victim.com 1720 < /dev/zero
At this point, CPU usage on the victim machine becomes elevated, depending
on the speed of both machines, and the speed of the link between them.
Now, terminate the netcat command with ^C. At this point, CPU on the victim
machine hits 100% and stays there. If NetMeeting is running in client mode,
it can (eventually) be terminated via the Task Manager on Windows 2000 or
NT. If RDS is active, it may be necessary to use another tool (such as
HandleEx) to terminate the RDS service; Task Manager may not have access to
this process.
Microsoft has released a patch for Windows 2000. Microsoft's bulletin is
available at http://www.microsoft.com/technet/security/bulletin/MS00-077.asp
Diversified Software Industries, Inc. is an Iowa City/Coralville, Iowa-based
company that develops and markets software for the graphical representation
of data in vehicles. In addition, DSI markets custom software development
and project management skills to firms in the over-the-road transportation
marketplace. These custom solutions provide back office and on-vehicle
wireless messaging management, as well as dispatching and resource tracking
systems.
You can find more information about DSI at www.dsi-inc.net/dsi