Georgi Guninski security advisory #37, 2001
Windows client UDP exhaustion denial of service
Systems affected:
Windows 2000 Prof, Windows 98 probably other Windowses
Risk: Low
Date: 6 February 2001
Legal Notice:
This Advisory is Copyright (c) 2001 Georgi Guninski. You may distribute
it unmodified.
You may not modify it and distribute it or distribute parts of it without
the author's
written permission.
Disclaimer:
The opinions expressed in this advisory and program are my own and
not of any company.
The usual standard disclaimer applies, especially the fact that Georgi
Guninski
is not liable for any damages caused by direct or indirect use
of the information
or functionality provided by this advisory or program.
Georgi Guninski bears no responsibility for content or misuse of this
advisory or program or
any derivatives thereof.
Description:
It is possible a web page or email message to consume all the usable
client UDP sockets on the
computer running Windows. This leads to stopping client DNS resolution
on Windows 2000 professional
and stopping all new TCP connections on Windows 98. After closing the
malicous application normal
function of the system is restored though several machines spontaneously
rebooted.
It is interesting to note that Linux is not affected to this vulnerability
as far as I tested.
Details:
This exploit uses java. The idea is quite simple - create as much UDP
sockets (java.net.DatagramSocket)
as possible. Other processes are prevented from creating new UDP sockets.
The java code is:
---------------------------------------------------------------------------
for(i=0;i<m;i++)
{
try { DatagramSocket d = new DatagramSocket();v.addElement(d);}
catch (Exception e) {System.out.println("Exhausted, i="+i);}
}
---------------------------------------------------------------------------
Demonstration:
http://www.guninski.com/winudpdos.html
Vendor status:
Microsoft was informed on 2 February 2001 |