SECURITY.NNOV: stream3 Windows NT/2000 DoS (Q280446)

Type securityvulns
Reporter Securityvulns
Modified 2002-01-28T00:00:00



Some of you may be interested in information about Microsoft Q280446 issue (patch included into SP2). Just to throw the light on it we've decided to publish information because Microsoft declared the deadline for official Windows NT 4.0 support.

Topic: Windows NT/2000 DoS via stream3 flood attack Authors: Dark Zorro <>, Error <> Date: 2 December 2000 (yes... it's old) Vendor Informed: 2 December 2000 Software affected: Microsoft Windows NT 4.0, Windows 2000 Risk: Low/Average Remote: Yes Exploitable: Yes SECURITY.NNOV advisories:


Stream 3 is flood attack of absolutely identical empty TCP packets with ACK and FIN flags. Dark Zoro and Error discovered unpatched Windows leaks the memory from non-paged kernel space during stream 3 attack against NetBIOS (TCP/139) port. This memory never released back after attack. Since this attack doesn't require TCP connection it may bypass purely configured packet filters. Effectivity of attack depends on amount of RAM installed in target host, routing schema and link bandwidth between source and target (xDSL/10BaseT is ideal). Results may vary from missing 2-3 Mb of non-paged memory to blue screen.

I've got few unverified reports of successful usage of stream 3 against different ports and different systems.


Microsoft was contacted on December, 2 2000. On December, 15 private fix Q280446 for Windows 2000 was released. It was made public few months later and was included into Service Pack 2.

Microsoft failed to reproduce and fix problem under Windows NT 4.0


For Windows 2000 apply SP2. Make sure you filter all traffic to privileged ports


Try stream3.c it should be more faster and compatible. stream3o.c is variant of old stream.c. It compiles and works under i386 FreeBSD.

-- /\_/\ { , . } |\ +--oQQo->{ ^ }<-----+ \ | ZARAZA U 3APA3A } +-------------o66o--+ / |/ You know my name - look up my number (The Beatles)