SX-20000620-2

`FSC Internet Corp. / SecureXpert Labs  
  
SecureXpert Labs Advisory [SX-20000620-2] - Multiple ports/protocols  
partial Denial of Service in Microsoft Windows 2000 Server  
  
Summary  
  
Multiple ports and protocols on Microsoft Windows 2000 Server are susceptible  
to a simple network attack which raises CPU utilization on Windows 2000  
Server to 100%.  
  
Details  
  
Multiple services on Windows 2000 Server are vulnerable to a simple attack which  
allows remote network users to drive the CPU utilization to 100% in an  
extremely short period of time, at little cost to the attacker's machine.  
  
The ports that were found vulnerable include TCP ports 7, 9, 21, 23, 7778  
and UDP ports 53, 67, 68, 135, 137, 500, 1812, 1813, 2535, 3456.  
  
While this attack does not cause an immediate lockup of the machine, it  
does cause excessive CPU resource utilization on the target machine.  
  
This can easily be reproduced from a Linux system using netcat with an input  
of /dev/zero, with a command such as "nc target.host 7 < /dev/zero" for the  
TCP variant or "nc -u target.host 53 < /dev/zero" for the UDP variant.  
  
Due to the large number of services affected, this could likely allow a  
very quick and easy distributed attack  
  
Status  
  
Microsoft Corp. has been informed of this vulnerability, and has assigned it  
incident ID# [MSRC 291]. SecureXpert Labs staff are working with  
Microsoft to reproduce the vulnerability and prepare a fix.  
  
Credits  
  
Mike Murray, SecureXpert Labs  
Max Degtyar, SecureXpert Labs  
Richard Reiner, SecureXpert Labs  
  
About SecureXpert DIRECT  
  
SecureXpert DIRECT is an advance security advisory service provided by  
SecureXpert Labs. Subscriptions are free of charge and may be obtained  
online at http://www.securexpert.com/services.html.  
  
`