Date: 13 January 1998
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-98.005 -- Microsoft Security Advisory
STOP 0x0000000A Due to Modified Teardrop Attack
13 January 1998
===========================================================================
Microsoft has released the following advisory concerning a vulnerability
in the way Windows NT processes fragmented UDP packets. This vulnerability
may allow remote users to cause Windows NT to stop responding.
The following security bulletin is provided as a service to AUSCERT's
members. As AUSCERT did not write this document, AUSCERT has had no
control over its content. As such, the decision to use any or all of this
information is the responsibility of each user or organisation, and should
be done so in accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It will
not be updated when the original bulletin is. If downloading at a later
date, it is recommended that the bulletin is retrieved from the original
authors to ensure that the information is still current.
Contact information for Microsoft is included in the Security Bulletin
below. If you have any questions or need further information, please
contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/Information/advisories.html
If you believe that your system has been compromised, contact AUSCERT or your
representative in FIRST (Forum of Incident Response and Security Teams).
Internet Email: auscert@auscert.org.au
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AUSCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
Facsimile: (07) 3365 7031
- - --------------------------BEGIN INCLUDED TEXT--------------------
DOCUMENT:Q179129
TITLE :STOP 0x0000000A Due to Modified Teardrop Attack
PRODUCT :Microsoft Windows NT
PROD/VER:4.00
OPER/SYS:WINDOWS
KEYWORDS:kbbug4.00 kbfix4.00 kbfile NTSrvWkst nttcp kbenv
- - --------------------------------------------------------------------------
The information in this article applies to:
- Microsoft Windows NT Workstation version 4.0
- Microsoft Windows NT Server version 4.0
- Microsoft Windows NT Server Enterprise Edition version 4.0
- - --------------------------------------------------------------------------
SYMPTOMS
========
Windows NT may stop responding (hang) with a STOP 0x0000000A message after
receiving a number of deliberately corrupted UDP packets.
CAUSE
=====
This behavior occurs due to a variation of the "teardrop" attack. Windows
NT 4.0 with Service Pack 3 and the ICMP-fix is not susceptible to the
original form of the teardrop attack. For more information on the ICMP-fix,
please see the following article in the Microsoft Knowledge Base:
ARTICLE-ID: Q154174
TITLE : Invalid ICMP Datagram Fragments Hang Windows NT, Windows 95
The modified teardrop attack works by sending pairs of deliberately
constructed IP fragments which are reassembled into an invalid UDP
datagram. Overlapping offsets cause the second packet to overwrite data in
the middle of the UDP header contained in the first packet in such a way
that the datagrams are left incomplete.
As Windows NT receives these invalid datagrams, it allocates kernel memory.
If enough of these invalid datagrams are received Windows NT may hang with
a STOP 0x0000000A.
RESOLUTION
==========
To resolve this problem, obtain the following fix or wait for the next
Windows NT service pack.
This fix should have the following time stamp:
01/09/98 08:16a 143,664 Tcpip.sys (Intel)
01/09/98 08:13a 263,536 Tcpip.sys (Alpha)
This hotfix has been posted to the following Internet location:
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/
hotfixes-postSP3/teardrop2-fix/
NOTE: This fix supercedes the ICMP-fix, the OOB-fix, and the Land-fix
hotfixes.
STATUS
======
Microsoft has confirmed this to be a problem in Windows NT version 4.0.
A supported fix is now available, but has not been fully regression-tested
and should be applied only to systems experiencing this specific problem.
Unless you are severely impacted by this specific problem, Microsoft
recommends that you wait for the next Service Pack that contains this fix.
Contact Microsoft Technical Support for more information.
============================================================================
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO
EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR
ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
SO THE FOREGOING LIMITATION MAY NOT APPLY.
- - --------------------------END INCLUDED TEXT--------------------
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBNMXnxyh9+71yA2DNAQFh3QP/fFDLM0Q37dbzNw/+71MCGv8wsVXJVFlA
XQhOK3fg1K1KVbxmoO1E0A+KCJ2dDtErDFszadCE8FbmMDPsOWW3WU4gYPRpxgZ0
szyEG6PZV058m/QA8JuXN+xTaH4RYSbmSIU04hRDAfzR3gnhFjLWNaOZnDmvRMxt
nUXVB6cDwww=
=EOkN
-----END PGP SIGNATURE-----
|