HostedDB - Dedicated UNIX Servers

nt-part2_54 Analysis of the Security of  Windows NT 1 March 1999 54 CpuHog is a small program written by Mark Russinovich which uses the priority mechanism of NT to hang the system. What CpuHog does is it sets priority 15 on itself and then enters an infinite WHILE loop. This will cause NT to hang so that it is impos- sible to start any other program including the Task Manager. The strange thing here is that you need no special privileges to be able to do this. Microsoft has in NT 4.0 Ser- vice Pack 2 and later addressed this problem by allowing aging up to priority level 15 which means that CpuHog will only slow down the system considerably. However, a user program can still set priority without special privileges. Intent. The intention with this attempt is the same as with NTCrash (see above), i.e. the availability of the system will probably drop to zero. Result. We executed the program as follows: After confirming the initial question, the computer was unable to service any user. Therefore, the attack was successful. 7.5.4  Teardrop Description. Teardrop is an attack or program that uses missing checks in the frag- mentation handling of the IP stack. The whole idea is to send two IP packets; one that is normal but has the MF flag set, and another that has a fragmentation offset that is inside the first packet, but a total size that makes this fragment smaller than the first packet, i.e. the second packet is only a small piece of the data in the first packet. How- ever, this time the MF flag is not set, so the system will treat the second packet as the last in the fragmentation run. When the system tries to align these packets it will end up with an offset that is larger than the end mark and therefore read to much data, and by doing this crash the system. Microsoft has offered a fix to this attack. Intent. We will try to remotely crash the target machine by using the teardrop program written by “klepto” with the remote machines IP address. Since the program gives the user the ability to set both sending and receiving address we could remain totally anon- ymous. The attack will be tested both with and without the hot fix. Result.  We executed the program on a LINUX machine as follows (IP addresses changed for security reasons): Where the target system has IP address 10.0.0.2, -t is the port number and -n specifies the number of consecutive attacks. Without the hotfix the target machine froze and had to be rebooted. The hotfix offered by Microsoft seems to work. 7.5.5  Teardrop2 (bonk and boink) Description. This attack has been called a number of thinks, Teardrop2 due to the fact that it is a variation of the teardrop code, bonk or boink which is the name of the pro- grams, written by Jiva DeVoe, that utilizes this bug. The attack is similar to the Tear- drop attack. Two IP packets are sent; one normal but with the MF bit set and, one cpuhog teardrop 10.0.0.1 10.0.0.2 -t 138 -n 10