nt-part2_53
Analysis of the Security of Windows NT
1 March 1999
53
attacker has to guess sequence numbers as well, but since a CIFS session always starts
at 0 as the first sequence number, according to [45], it should not be to hard to guess.
7.5 Availability Attacks
7.5.1 NTCrash
Description. NT programs use the NTOSKRNL by invoking functions through calls to
certain libraries (DLLs). In some of these calls the parameters are not checked prop-
erly. The missing checks are primarily range checks and legality of addresses.
NTCrash is a program written by Mark Russinovich and Bryce Cogswell that exploits
certain implementation flaws in NTOSKRNL. It is loaded from NTOSKRNL.EXE and
contains the majority of the OS components that are executed in kernel mode. By
invoking these functions with illegal or out of range or out of bounds parameters, NT
will crash.
Intent. We will try to bring our target system to a grinding halt by invoking this pro-
gram. What we want to achieve is to force a restart of the system and thereby deny ser-
vice to others. In the target system, this would only stop our selves from using the
system, but if it was executed on a server or a domain server this program could cause
denial of service for a number of users as well as potential loss of data.
Result. We executed the program as follows:
After a few seconds the computer crashed, and therefore in accordance with our inten-
tions the attack was a success.
7.5.2 Rollback
Description. Rollback is a utility tool that unintentionally was installed on the CD of
NT 4.0. It is originally an OEM Pre-installation Kit tool. The effect of using it is that
the whole system except the data files are destroyed. And there is no recovery except
reinstalling the system and any program from scratch if you do not have a backup of
the system. To make things even nastier there is no way of stopping the program once
it is started and it does not give you a second chance when it is invoked.
Intent. We will try to destroy our system by invoking rollback.
Result. This attempt was unsuccessful, because we were unable to run this program as
a normal user. However, we tried it as administrator and we were prompted to restart
the computer. After restart, we had to reinstall NT in order to get the system opera-
tional.
7.5.3 CpuHog
Description. Normally, a thread in NT has a priority value between 1 and 15, where 1
is the least priority. It is not normal for a program to have a high priority value (>10).
Furthermore, NT has an aging mechanism but will only age threads up to priority 14.
ntcrash -n