Microsoft NT 4.0 SynAttackProtect Denial of Service Vulnerability
BID:1987
Info
Microsoft NT 4.0 SynAttackProtect Denial of Service Vulnerability
| Bugtraq ID: | 1987 |
| Class: | Failure to Handle Exceptional Conditions |
| CVE: | |
| Remote: | Yes |
| Local: | Yes |
| Published: | Nov 22 2000 12:00AM |
| Updated: | Nov 22 2000 12:00AM |
| Credit: | Posted to Bugtraq on November 22, 2000 by NtWaK0 <[email protected]>. |
| Vulnerable: |
Microsoft Windows NT 4.0 |
| Not Vulnerable: | |
Discussion
Microsoft NT 4.0 SynAttackProtect Denial of Service Vulnerability
The article "Security Considerations for Network Attacks" (http://www.microsoft.com/TechNet/security/dosrv.asp) published by Microsoft details best practices to protect Windows NT against denial of service attacks. It includes a number of recommended registry configurations to harden the network stack. One particular suggested setting, "SynAttackProtect", has been shown to render a Windows NT 4.0 system vulnerable to a remotely exploitable denial of service attack.
In the document "Security Considerations for Network Attacks", it states that the value for REG_DWORD for the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
should be set to '2' rather than the default value of '0' in order to circumvent SYN attacks. However, when the value is configured as '2', Windows NT 4.0 will be vulnerable to a denial of service attack. If the CyberCop TCP Sequence Number Prediction attack (Module 13002) (or equivalent) is launched against a host with this registry setting, it may crash requiring a reboot to regain system functionality. It is not exactly known what causes this to occur.
The article "Security Considerations for Network Attacks" (http://www.microsoft.com/TechNet/security/dosrv.asp) published by Microsoft details best practices to protect Windows NT against denial of service attacks. It includes a number of recommended registry configurations to harden the network stack. One particular suggested setting, "SynAttackProtect", has been shown to render a Windows NT 4.0 system vulnerable to a remotely exploitable denial of service attack.
In the document "Security Considerations for Network Attacks", it states that the value for REG_DWORD for the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
should be set to '2' rather than the default value of '0' in order to circumvent SYN attacks. However, when the value is configured as '2', Windows NT 4.0 will be vulnerable to a denial of service attack. If the CyberCop TCP Sequence Number Prediction attack (Module 13002) (or equivalent) is launched against a host with this registry setting, it may crash requiring a reboot to regain system functionality. It is not exactly known what causes this to occur.
Exploit / POC
Microsoft NT 4.0 SynAttackProtect Denial of Service Vulnerability
Launch a CyberCop Scanner scan against the host using Module 13002 or implement a similar TCP Sequence Number Prediction attack.
Launch a CyberCop Scanner scan against the host using Module 13002 or implement a similar TCP Sequence Number Prediction attack.