nt-part2_54
Analysis of the Security of Windows NT
1 March 1999
54
CpuHog is a small program written by Mark Russinovich which uses the priority
mechanism of NT to hang the system. What CpuHog does is it sets priority 15 on itself
and then enters an infinite WHILE loop. This will cause NT to hang so that it is impos-
sible to start any other program including the Task Manager. The strange thing here is
that you need no special privileges to be able to do this. Microsoft has in NT 4.0 Ser-
vice Pack 2 and later addressed this problem by allowing aging up to priority level 15
which means that CpuHog will only slow down the system considerably. However, a
user program can still set priority without special privileges.
Intent. The intention with this attempt is the same as with NTCrash (see above), i.e.
the availability of the system will probably drop to zero.
Result. We executed the program as follows:
After confirming the initial question, the computer was unable to service any user.
Therefore, the attack was successful.
7.5.4 Teardrop
Description. Teardrop is an attack or program that uses missing checks in the frag-
mentation handling of the IP stack. The whole idea is to send two IP packets; one that
is normal but has the MF flag set, and another that has a fragmentation offset that is
inside the first packet, but a total size that makes this fragment smaller than the first
packet, i.e. the second packet is only a small piece of the data in the first packet. How-
ever, this time the MF flag is not set, so the system will treat the second packet as the
last in the fragmentation run. When the system tries to align these packets it will end up
with an offset that is larger than the end mark and therefore read to much data, and by
doing this crash the system. Microsoft has offered a fix to this attack.
Intent. We will try to remotely crash the target machine by using the teardrop program
written by klepto with the remote machines IP address. Since the program gives the
user the ability to set both sending and receiving address we could remain totally anon-
ymous. The attack will be tested both with and without the hot fix.
Result. We executed the program on a LINUX machine as follows (IP addresses
changed for security reasons):
Where the target system has IP address 10.0.0.2, -t is the port number and -n specifies
the number of consecutive attacks. Without the hotfix the target machine froze and had
to be rebooted. The hotfix offered by Microsoft seems to work.
7.5.5 Teardrop2 (bonk and boink)
Description. This attack has been called a number of thinks, Teardrop2 due to the fact
that it is a variation of the teardrop code, bonk or boink which is the name of the pro-
grams, written by Jiva DeVoe, that utilizes this bug. The attack is similar to the Tear-
drop attack. Two IP packets are sent; one normal but with the MF bit set and, one
cpuhog
teardrop 10.0.0.1 10.0.0.2 -t 138 -n 10