|
|
|
|
| |
| MSTask.exe is an application that is shipped with Windows NT/2000 and provides services for task scheduling. A strange behavior was discovered in the MSTask.exe code that, if exploited, could allow an attacker to slow down a vulnerable Windows NT machine and possibly freeze it completely. |
| |
Credit:
The information has been provided by Ilia Sprite.
|
| |
Vulnerable systems:
Microsoft Windows NT 4.0 Workstation
MSTask.exe usually listens on TCP 1026 (or some high port). By connecting to this port, it is possible to cause a large amount of memory to be consumed. The attack is performed by connecting to MSTask and sending random characters. Following this attack, the machine will slow down and possibly completely freeze. The only solution appears to be a reboot.
MSTask.exe, however, only permits connections via the localhost, or 127.0.0.1, so on most systems such an attack would have to originate from someone at the console (or connected via Terminal Server).
However, if WinGate or WinProxy installed on the system, system becomes vulnerable for remote attackers, because they can connect to system's 1026 tcp port via WinGate or WinProxy, and connection will be accepted.
To reproduce the problem, use Windows NT 4.0 Workstation. Do the following:
1. Start telnet.exe
2. Menu->Connect->Remote System=127.0.0.1, Port=1026
3. Press 'Connect' button
4. When it is connects, type some random characters and press enter.
5. Close telnet.exe.
Now you can see in task manager, that CPU usage is near 100% because of MSTask.exe.
|
|
|
|
|
|
|
