nt新bug,远程dos攻击.txt

当今

发信人: Suning (苏宁★军刀出鞘★), 信区: Security 
标  题: NT新BUG,远程DoS攻击 
发信站: 武汉白云黄鹤站 (Sun Oct 17 04:37:01 1999), 转信 
  
ISS X-Force 发现一项针对 Windows NT Server 4.0 终端伺服器版本所作的 DoS 
攻击。这个安全性弱点让远端使用者可以迅速的耗尽 Windows NT Terminal 
Server 上所有可用的记忆体，造成主机上所有登入者断线，并且无法再度登入。 
-- 说明 
1. Windows NT Server 4.0 终端伺服器版本在 TCP port 3389 监听终端连接 
(terminal connection)，一旦某个 TCP 连接连上这个 port, 终端伺服器会开 
始分配系统资源，以处理新的客户端连接，并作连接的认证工作。 
2. 此处的漏洞在於：在认证工作完成前，系统需要拨出相当多的资源去处理新的连 
接，而系统并未针对分配出去的资源作节制。因此远端的攻击者可以利用建立大 
量 TCP 连接到 port 3389 的方法，造成系统记忆体配置达到饱和。 
3. 此时伺服器上所有使用者连接都会处於 time out 状态，而无法继续连接到伺服 
器上，远端攻击者仍能利用一个仅耗用低频宽的程式，做出持续性的攻击，让此 
伺服器处於最多记忆体被耗用的状态，来避免新的连接继续产生。 
4. 在国外的测试报告中指出，长期持续不断针对此项弱点的攻击，甚至可以导致伺 
服器持续性当机，除非重新开机，伺服器将无法再允许新连接的完成。 
-- 影响平台 
Windows NT 4.0 Terminal Server Edition. 
-- 修正方式 
1. 以下是修正程式的网址： 
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40tse/hotfixes 
- - -postSP4/Flood-fix/ 
[注意]：因为行数限制，上面网址请合并为一行。 
2. 更详细资料请参考 Microsoft 网站的网址： 
http://www.microsoft.com/security/bulletins/ms99-028.asp. 
-- 影响结果----------------------------------------------------------- 
使用者可以造成 DoS 攻击， 被 伺服器功能。 
-- 连络 TW-CERT------------------------------------------------------- 
电话 : 886-7-5250211 传真 : 886-7-5250212 
Email : twcert@cert.org.tw 
URL : http://www.cert.org.tw/ 
PGP key: 
-----BEGIN PGP PUBLIC KEY BLOCK----- 
Version: 2.6.3ia 
mQCNAzZAFDsAAAEEANzLoQSm04piwvHUzIDDKNUx0wlDkIVNL8Be4W7Yxs5NKXjT 
SRByjr7qthvBGdK76SjoJjZWQSXqhUFcqq2o0Sd+wOSTlJnQVCNQVtL/6qUI2akQ 
MM/SneDbXaR1v8ylITj7KObIUhDUXihHB4l5W1LDesL+0w0qP0v2HGG3WSotAAUR 
sAGHtAZUd0NlcnSwAQM= 
=nvFF 
-----END PGP PUBLIC KEY BLOCK----- 
====================================================================== 
附件 : [ISS Security Advisory: Denial of Service Attack Against Windows NT 
Terminal Server] 
-----BEGIN PGP SIGNED MESSAGE----- 
ISS Security Advisory 
August 9, 1999 
Denial of Service Attack Against Windows NT Terminal Server 
Synopsis: 
The ISS X-Force has discovered a denial of service attack against 
Windows NT Server 4.0, Terminal Server Edition. This vulnerability 
allows a remote attacker to quickly consume all available memory on a 
Windows NT Terminal Server, causing a significant disruption for users 
currently logged into the terminal server, and preventing any new terminal 
connections from being successfully completed. 
Recommended Action: 
Network administrators can protect internal systems from external attack 
by creating a packet filter of the form: 
- Prevent all incoming packets destined for TCP port 3389 
If you have a legitimate need for terminal server connections to be made 
>from outside your network, you should limit access to TCP port 3389 to 
only the external IP addresses or networks that have a legitimate reason 
to connect. 
The fix for this problem is available at 
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40tse/hotfixes 
- - -postSP4/Flood-fix/ 
The Microsoft bulletin describing this issue is available at 
http://www.microsoft.com/security/bulletins/ms99-028.asp. 
Description: 
Windows NT Server 4.0 Terminal Server Edition listens for terminal 
connections on TCP port 3389. Once a TCP connection is made to this port, 
the terminal server will utilize resources in order to handle the new 
client connection and authenticate the connection. The manner this is 
done, however, requires significant server resources before any 
authentication takes place and without any throttling of resource 
utilization. 
Specifically, a remote attacker can quickly cause a server to reach full 
memory utilization by creating a large number of normal TCP connections 
to port 3389. Individual connections will timeout, but a low bandwidth 
continuous attack will maintain a terminal server at maximum memory 
utilization and prevent new connections from a legitimate source 
>from taking place. Legitimate new connections will fail at this point 
with an error of either a connection timeout, or the terminal server has 
ended the connection. 
In testing, a long running attack of this type has been able to 
sporadically crash the terminal server executable and permanently maintain 
the machine at full memory usage without allowing any new terminal server 
connections until the machine was rebooted. 
Additional Information: 
This vulnerability was primarily researched by David J. Meltzer of the ISS 
X-Force. 
________ 
About ISS: 
ISS leads the market as the source for e-business risk management solutions, 
serving as a trusted security provider to thousands of organizations 
including 21 of the 25 largest U.S. commercial banks and more than 35 
government agencies. With its Adaptive Security Management approach, ISS 
empowers organizations to measure and manage enterprise security risks 
within Intranet, extranet and electronic commerce environments. Its 
award-winning SAFEsuite(r) product line of intrusion detection, 
vulnerability management and decision support solutions are vital for 
protection in today's world of global connectivity, enabling organizations 
to proactively monitor, detect and respond to security risks. Founded in 
1994, ISS is headquartered in Atlanta, GA with additional offices 
throughout the U.S. and international operations in Australia/New Zealand, 
Belgium, France, Germany, Japan, Latin America and the UK. For more 
information, visit the ISS Web site at www.iss.net or call 800-776-2362. 
Copyright (c) 1999 by Internet Security Systems, Inc. Permission is 
hereby granted for the redistribution of this Alert electronically. It is 
not to be edited in any way without express consent of the X-Force. If 
you wish to reprint the whole or any part of this Alert in any other 
medium excluding electronic medium, please e-mail xforce@iss.net 
forpermission. 
Disclaimer 
The information within this paper may change without notice. Use of this 
information constitutes acceptance for use in an AS IS condition. There 
are NO warranties with regard to this information. In no event shall the 
author be liable for any damages whatsoever arising out of or in 
connection with the use or spread of this information. Any use of this 
information is at the user's own risk. 
X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as 
well as on MIT's PGP key server and PGP.com's key server. 
Please send suggestions, updates, and comments to: X-Force xforce@iss.net 
of Internet Security Systems, Inc. 
-----BEGIN PGP SIGNATURE----- 
Version: 2.6.3a 
Charset: noconv 
iQCVAwUBN67ziDRfJiV99eG9AQFDggP+N4t+n/UhAxGiBRJDGxjFeJSgfbjbDMd7 
m6BVFhe4RSDsmLbKoHnK+8J9bM5RoiWMiY6pMe2YUcfQfRySwz3nfmnzpxXjoUmv 
Tv7aWiSvqcc6OVHS7/7tKMzxL49g/6PFPUVqRDhkKrrWbdhTW9uKejn77OfY9l2r 

8ckrqQ4k3l4= 
=4Kwx 
-----END PGP SIGNATURE----- 
====================================================================== 
本文由绿色兵团成员原创,如要转载请保持文章的完整性 
  
-- 
    心事浩茫连广宇,于无声处听惊雷