HostedDB - Dedicated UNIX Servers
nt-part2_53 Analysis of the Security of  Windows NT 1 March 1999 53 attacker has to guess sequence numbers as well, but since a CIFS session always starts at 0 as the first sequence number, according to [45], it should not be to hard to guess. 7.5  Availability Attacks 7.5.1  NTCrash Description. NT programs use the NTOSKRNL by invoking functions through calls to certain libraries (DLLs). In some of these calls the parameters are not checked prop- erly.   The   missing   checks   are   primarily   range   checks   and   legality   of   addresses. NTCrash is a program written by Mark Russinovich and Bryce Cogswell that exploits certain implementation flaws in NTOSKRNL. It is loaded from NTOSKRNL.EXE and contains the majority of the OS components that are executed in kernel mode. By invoking these functions with illegal or out of range or out of bounds parameters, NT will crash. Intent. We will try to bring our target system to a grinding halt by invoking this pro- gram. What we want to achieve is to force a restart of the system and thereby deny ser- vice to others. In the target system, this would only stop our selves from using the system, but if it was executed on a server or a domain server this program could cause denial of service for a number of users as well as potential loss of data. Result. We executed the program as follows: After a few seconds the computer crashed, and therefore in accordance with our inten- tions the attack was a success. 7.5.2  Rollback Description. Rollback is a utility tool that unintentionally was installed on the CD of NT 4.0. It is originally an OEM Pre-installation Kit tool. The effect of using it is that the whole system except the data files are destroyed. And there is no recovery except reinstalling the system and any program from scratch if you do not have a backup of the system. To make things even nastier there is no way of stopping the program once it is started and it does not give you a second chance when it is invoked. Intent. We will try to destroy our system by invoking rollback. Result. This attempt was unsuccessful, because we were unable to run this program as a normal user. However, we tried it as administrator and we were prompted to restart the computer. After restart, we had to reinstall NT in order to get the system opera- tional. 7.5.3  CpuHog Description. Normally, a thread in NT has a priority value between 1 and 15, where 1 is the least priority. It is not normal for a program to have a high priority value (>10). Furthermore, NT has an aging mechanism but will only age threads up to priority 14. ntcrash -n