Reporter Packet Storm
`Date: Fri, 2 Oct 1998 01:04:20 -0500
From: Simple Nomad <thegnome@NMRC.ORG>
Subject: NMRC Advisory - Lame NT Token Ring DoS
Nomad Mobile Research Centre
A D V I S O R Y
Simple Nomad [email@example.com]
Platform : Windows NT
Application : TCP/IP
Severity : Medium
On Token Ring networks a packet with bad data in the RIF fields will cause
all Windows NT workstations and servers on the ring to crash with a blue
screen of death.
The default settings were tested with the following configuration :
Microsoft Windows NT Server and Workstation v4.0
Service Pack 3
Most SP3 Hot Fixes
When a Token Ring frame passes through a bridge, the bridge will update
the Routing Information Field (RIF) with its ID number, among other little
bits of information (including info that limits the size of the data
field). This information is used to help route traffic back and forth
between rings connected by bridges.
On Token Ring if you have a hop count greater than 7 defined in the RIF
fields this will cause Windows NT's TCP/IP stack to "blue screen", forcing
the user to reboot. Also if there are duplicate Token Ring IDs listed in
the hops this will also "blue screen" NT. The bad news is that the packet
does not have to be addressed to the NT target to blue screen it. It will
blue screen every NT workstation or server on the ring. The good news is
that properly configured and functioning network equipment will not pass
this type of illegal packet across a hop to a different ring, so the
Denial of Service will be limited to one ring.
It is possible that some routers will allow RIF fields to have more than 7
hops, but unless they have been configured to handle this it will not pass
the packet across a hop as it is considered a bad frame. It should be
noted that in all related RFCs it is clearly stated that >7 is a no-no and
should not be done.
Malfunctioning network equipment could cause this to happen, as this is
how the information was originally discovered.
There was no related/discovered Netbios flaws, in particular if
encapsulation was being used to cross WAN links.
Move to Ethernet, or contact Microsoft for the RIF Hot Fix, which was not
posted last time I looked. I'll assume the latter would be easier.
This is rather lame, but since I personally know of 2 Token Ring sites
that this affected in my town alone, I thought I might pass it on.
When Microsoft was contacted 4 weeks ago they reported that more than one
corporate customer had reported the problem, and they had a hot fix they
were testing. Most sites are on Ethernet, and most elite sploit code talks
Ethernet frames anyway, so my guess is you'll have to ask for it. On a
personal note, it is a lot of fun to watch a row of NT machines all die
one after another, making for a very visual test of packet speed.
Thanks to Mike for letting me know about this, and thanks to a small
unnamed Dallas accounting firm that graciously let me test this on their
networks after hours. They were convinced they were under outside attack,
but a malfunctioning bridge was the culprit.