Denial of Service Database


---------- Forwarded message ----------
From: Martin Bishop (martybishop@YAHOO.COM)
To: NTSECURITY@LISTSERV.NTBUGTRAQ.COM
Date: Wed, 5 Aug 1998 05:17:41 -0700
Subject: [MINOR ALERT] Task Manager DoS

I have discovered (appologies if someone has already found that) what
is IMO a minor security threat in NT "Locked workstation" state. As we
all know, a user can lock the workstation that he's locally logged on
using Ctrl-Alt-Del & e.g. Enter. When the workstation is in such
locked mode only the user that locked it or the administrator can
unlock it by pressing Ctrl-Alt-Del and entering username/password. In
the locked mode, every other functionality should be disabled for the
local user and that also appears to be the case except for another hot
key conbination: Ctrl-Shift-Esc (that invokes the Task Manager just
like in a non-locked mode). Note that the locked workstation does not
show the Task Manager's window and you are also not able to interact
with it but it nevertheless gets executed (you can see it when you
unlock the workstation). Well, it almost wouldn't be worth mentioning
if that was all. The problem becomes much bigger when you press
Ctrl-Shift-Esc and hold it for a couple of seconds (15 worked for me,
but I suspect it depends on the amount of RAM your computer has). It
seems that by holding these keys down you start invoking multiple
copies of Task Manager (in 15 seconds I have created 250 of them) that
- normally - run with priority "high". Each of them consumes some
memory in range from appx. 150-480 kB but each of them also creates
some CPU workload (with  priority "high"!). As a final consequence, my
NT 4.0 Server was completely DoS'ed for more than two hours, flashes
of Task Manager windows redrawing and erasing themselves, desktop
background dissappearing and reappearing, CPU utilization fixed at
100%, "Virtual Memory Low" messages popping up and not even
Ctrl-Alt-Del helped. After more than two hours I had to make a hard
reboot (I didn't have time to wait logner).
To conclude, I think this is not a major security threat since it has
to be done with physical access to the computer and it is only of
(mis)use when the workstation is locked (I expect it is reproducible
in non-locked mode but you can make much more damage than just a DoS
once you're there).
Nevertheless it should be noted that locking a workstation with any
unsaved changes to critical documents (e.g. unsaved Word documents)
and then leaving it in an area where physical access of untrusted
people is possible, could be dangerous (remember: it takes only a
couple of seconds).
In such situations, you should only use the locking mechanism when no
considerable loss would result from hard-rebooting the machine instead
of just unlocking it.
The only workaround I can think of at the moment would be to "Close
all programs and log on as different user" when you leave the computer.

Testing configuration: NT Server 4.0, SP3, TearDrop fix
Note: No thorough testing was done, just three experiments yielding
the same result.

I hope some of you can test this on other configurations and report it
to the list.

Due to the low risk factor Microsoft has not been previously informed
but I'm sure at least Paul Leach will receive this mail so that MS can
produce a fix.

Regards,

Martin Bishop
_________________________________________________________
DO YOU YAHOO!?
Get your free @yahoo.com address at http://mail.yahoo.com