Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00


                                            `Date: Fri, 2 Oct 1998 01:04:20 -0500  
From: Simple Nomad <thegnome@NMRC.ORG>  
Subject: NMRC Advisory - Lame NT Token Ring DoS  
Nomad Mobile Research Centre  
A D V I S O R Y  
Simple Nomad [thegnome@nmrc.org]  
Platform : Windows NT  
Application : TCP/IP  
Severity : Medium  
On Token Ring networks a packet with bad data in the RIF fields will cause  
all Windows NT workstations and servers on the ring to crash with a blue  
screen of death.  
Tested configuration  
The default settings were tested with the following configuration :  
Microsoft Windows NT Server and Workstation v4.0  
Service Pack 3  
Most SP3 Hot Fixes  
Bug(s) report  
When a Token Ring frame passes through a bridge, the bridge will update  
the Routing Information Field (RIF) with its ID number, among other little  
bits of information (including info that limits the size of the data  
field). This information is used to help route traffic back and forth  
between rings connected by bridges.  
On Token Ring if you have a hop count greater than 7 defined in the RIF  
fields this will cause Windows NT's TCP/IP stack to "blue screen", forcing  
the user to reboot. Also if there are duplicate Token Ring IDs listed in  
the hops this will also "blue screen" NT. The bad news is that the packet  
does not have to be addressed to the NT target to blue screen it. It will  
blue screen every NT workstation or server on the ring. The good news is  
that properly configured and functioning network equipment will not pass  
this type of illegal packet across a hop to a different ring, so the  
Denial of Service will be limited to one ring.  
It is possible that some routers will allow RIF fields to have more than 7  
hops, but unless they have been configured to handle this it will not pass  
the packet across a hop as it is considered a bad frame. It should be  
noted that in all related RFCs it is clearly stated that >7 is a no-no and  
should not be done.  
Malfunctioning network equipment could cause this to happen, as this is  
how the information was originally discovered.  
There was no related/discovered Netbios flaws, in particular if  
encapsulation was being used to cross WAN links.  
Move to Ethernet, or contact Microsoft for the RIF Hot Fix, which was not  
posted last time I looked. I'll assume the latter would be easier.  
This is rather lame, but since I personally know of 2 Token Ring sites  
that this affected in my town alone, I thought I might pass it on.  
When Microsoft was contacted 4 weeks ago they reported that more than one  
corporate customer had reported the problem, and they had a hot fix they  
were testing. Most sites are on Ethernet, and most elite sploit code talks  
Ethernet frames anyway, so my guess is you'll have to ask for it. On a  
personal note, it is a lot of fun to watch a row of NT machines all die  
one after another, making for a very visual test of packet speed.  
Thanks to Mike for letting me know about this, and thanks to a small  
unnamed Dallas accounting firm that graciously let me test this on their  
networks after hours. They were convinced they were under outside attack,  
but a malfunctioning bridge was the culprit.