Protection against attacks on basic Windows NT OS functions.
As stated earlier, attacks on data availability are becoming increasingly common on the Internet.
The possibility of their successful implementation follows from the vulnerability of basic information exchange protocols on the Internet.
In addition, there are typical weaknesses in the implementation of TCP/IP protocols inherited by modern operating systems.
Let's consider attacks on the availability of basic Windows NT functions, which became widespread in 1997-1998 rr. and caused the need for Microsoft to develop special software add-ons.
The consequence of such attacks is the disruption of the functioning of the entire system, regardless of the application software used!
The numbers and titles of the corresponding documents in the Microsoft Knowledge Base (KB) are given in brackets.
OOB attack
It is performed on port 139 (NetBIOS).
If the service is available, a message specified by the attacker is sent to the attacked computer. In this case, the Out-of-Band transmission mode is used, that is, out of turn, with high priority.
When a packet of the specified type with the Urgent flag set is received, the system places a marker on the input data stream, waiting for the next fragment of the message.
The consequences of the attack depend on the software version, network protocol configuration, etc. and cause either a system crash with the error A Stop OA in the Tcpip.sys module, or a failure in network information exchange.
This attack affects Windows NT 3.51 and 4.0, as well as Windows 95. [Q143478: Stop OA in TCPIP.SYS When Receiving Out Of Band (OOB) Data]
Protection: oob-fix add-on — depending on the Windows NT version and the installed service pack.
GetAdmin Attack
The GetAdmin utility was distributed on the Internet, which granted regular users system administrator rights by including user IDs in the Administrators group. GetAdmin exploited a vulnerability in one of the low-level functions, which does not check its parameters, which allows values to be passed when calling it that disable debugger privilege control.
This makes it possible to connect to any process running in the system and, in turn, launch a subprocess in the security context of that process.
The GetAdmin utility connected to the WinLogon process, which runs in the system security context, and, using standard functions, added the required user to the Administrators group.
As a result, an unauthorized granting of system administrator rights to a legitimate user was carried out, which led to the possibility of unauthorized access under the administrator name.
The attack is applicable to Windows NT 4.0 Workstation and Server. Windows NT 3.51 does not have this vulnerability. [Q146965: GetAdmin Utility Grants Users Administrative Rights]
Protection: getadmin-fix add-on, which depends on the Windows NT version and the installed service pack. The add-on does not allow disabling the debugger privilege check, which makes it impossible to attach to any process and run tasks on its behalf.
It should be noted that any user who has been granted «Debug Programs» rights will always be able to successfully use the GetAdmin utility to obtain administrator rights (since «Debug Programs» rights allow any user to connect to any process).
Therefore, «Debug Programs» rights should only be granted to trusted users (during system installation, these rights are granted only to members of the Administartors group).
Ssping/Jolt attack
The attack, named after the programs that implement it, consists of sending several large defragmented ICMP (ICMP_ECHO) packets in parts. Windows NT, trying to eat the packet, hangs, which can lead to data corruption.
The attack works similarly on early implementations of POSIX and SYSV.
Can be applied to Windows NT 4.0 Workstation and Server, Windows NT 3.51 Workstation and Server, Windows 95. [Q154174: Invalid 1CMP Datagram Fragments Hang Windows NT, Win 95]
Protection: icmp-fix add-on, depending on the Windows NT version and installed service pack.
Attack on Simple TCP/IP services
An attacker sends a stream of UDP datagrams to the broadcast address of the subnet where the Windows NT computer with Simple TCP/IP services installed is located.
The source address of such packets is forged, and the destination port is specified as port 19 (chargen service). The Windows NT computer responds to each such request, causing an avalanche of UDP datagrams.
This leads to a significant increase in subnet traffic and deprives legitimate services of the ability to exchange information.
The attack is applicable to Windows NT 4.0 Workstation and Server. [Q15446: Denial of Service Attack Against WinNT Simple TCP/IP Services]
Protection: simptcp-fix add-on, depending on the version of Windows NT and the installed service pack. The add-on makes changes to TCP/IP, Windows Sockets and Simple TCP/IP, preventing the possibility of carrying out such attacks.
LAND attack
Named after a widespread implementation on the Internet.
It consists of sending TCP packets with the SYN flag (initialization of a connection), in which the source address and port are equal to the destination address and port.
As a result, a «loop» of information packets with the ACK flag set occurs: the attacked computer sends itself a large number of packets.
This results in a significant loss of computing resources, and in some cases, a crash of Windows NT.
The attack applies to Windows NT 4.0 Workstation and Server, as well as Windows 95. [Q165005: Windows NT Slows Down Due to Land Attack]
Protection: land-fix supplement, depending on the version of Windows NT and the installed service pack.
TEARDROP attack
Named after a popular implementation on the Internet. It consists of sending specially created pairs of fragmented IP packets, which upon receipt are assembled into an incorrect UDP datagram.
Overlapping offsets cause the data in the middle of the UDP datagram header contained in the first packet to be overwritten by the second packet.
The result is an unfinished datagram placed in the Windows NT kernel memory area. Receiving and processing a large number of such pairs of packets leads to an abnormal termination of Windows NT with the message STOP ОхОА.
Applies to Windows NT 4.0 Workstation and Server. [Q179129: STOP ОхОА Due to Modified Teardrop Attack]
Protection: teardrop2-fix add-on. depending on the Windows NT version and the installed service pack.
Denial of Service Attack
A request to connect to a Windows NT server is sent via the SMB protocol, specifying an invalid size of the subsequent data. Processing such a request by the server leads to an abnormal termination of the system with the STOP ОхОА message (STOP 0x00000050) or to its freezing.
Applies to Windows NT 4.0 Server. [Q180963: Denial of Service Attack Causes Windows NT Systems to Restart]
Protection: srv-fix add-on, dependent on Windows NT version and installed service pack.
SECHOLE attack
It got its name from a program that is widespread on the Internet. It is similar to the GetAdmin attack, with the difference that it uses the OpenProcess interface function to obtain debugging privileges. As a result, a legitimate user is granted administrator rights without authorization.
Applies to Windows NT 4.0 Workstation and Server, Windows NT 3.51 Workstation and Server. [Q190Z88: SecHole Lets Nonadministrative Users Gain Debug Level Access]
Protection: priv-fix add-on, depending on the Windows NT version and the installed service pack.
ICMP Request Attack
Consists of sending a 1CMP Subnet Mask Address Request packet to the address of a network interface configured to use multiple IP addresses belonging to the same subnet.
The Windows NT system terminates abnormally with the STOP STOP OxOA message (OxAOOOZ3, 0x00000002, 0x00000000, Oxf381329B), where the fourth parameter refers to the memory area of the Tcpip.sys module.
Applies to Windows NT 4.0 Workstation and Server. [Q192774: Stop OxOOOOOOOA in Tcpip.sys Processing an ICMP Packet].
The vulnerability described was first fixed in Windows NT Service Pack 4.
Port listening attack
This is a special action in which the Windo.wsNT application or service can access information transmitted and received on certain ports via the TCP and LJDP protocols. «
Listening» to ports opened by other applications allows unauthorized access to information exchange carried out through these ports.
The attack applies to Windows NT 4.0 Workstation and Server. [Q194431: Applications May Be Able to «Listen» on TCP or LJDP Ports]
The vulnerability described was first fixed in Windows NT Service Pack 4.
Attack using Named Pipes services
Consists of using the remote procedure call (RPC) mechanism using the Named Pipes transport protocol.
Various variations of this attack create multiple remote connections to a Windows NT system and send random data.
The RPC service of the target computer attempts to process and close the remote connections.
When invalid connections are closed, the CPU load and system memory usage increase to 100%, in some cases causing the system to hang.
Applies to Windows NT 4.0 Workstation and Server. [Q195733: Denial of Service in Applications Using Named Pipes over RPC]
Protection: Windows NT Service Pack 4 and nprpc-fix add-on.
Network Access Attack
The Windows NT 4.0 Service Pack 4 network authentication subsystem contains a bug that incorrectly handles user login information.
When a Windows NT user runs Windows for Workgroups, OS/2, or Macintosh and changes their domain password, the Windows NT domain controller stores in the SAM only the portion of the user's password image that is used for compatibility with these systems.
In this case, the registration information used to authenticate Windows 95/98 and Windows NT users is set to zero in the SAM.
The registration information obtained in this way can be used to connect to the Windows NT domain under the name of this user without a password.
The connection can be made by Windows 95/98 and Windows NT clients. It is used for unauthorized access to Windows NT system resources under the name of an existing user.
The described procedure for changing the password requires knowledge of it and can only be performed by a legitimate user.
Applies to Windows NT 4.0 Server Service Pack 4. [Q214840: MSV1_0 Allows Network Connections for Specific Accounts]
Protection: Windows NT Service Pack 4 and MSVI-fix add-on.
Source-based routing attack
The Windows NT 4.0 TCP/IP protocol stack implementation lacks the ability to disable the IP packet routing mode, in which the decision on the route for delivering a response packet is made based on information specified by the received packet.
The vulnerability can be used to attack availability and, in some cases, the integrity of information.
The need to mandatory disable the source-based routing mode was justified in the SECT bulletin CA-95.01 (1995).
Applies to Windows NT 4.0 Workstation and Server Service Pack 4. [Q217336: TCP/IP Source Routing Feature Cannot Be Disabled]
The vulnerability described was first fixed in Windows NT Service Pack 5.
System Function Substitution Attack
This involves an attacker substituting Windows NT system functions.
To do this, a dynamic link library (DLL) with a name that matches one of the system libraries is loaded into Windows NT memory.
The attacker can then programmatically change the link to the substituted system library in the KnownDLLs list of system modules.
After this, all calls to this system library will be processed by the attacker's module.
If certain system functions are substituted, unauthorized granting of administrator rights to users is possible.
The vulnerability described allows existing users to gain unauthorized administrator rights on a local or remote Windows NT system.
Applies to Windows NT 3.51, 4.0 Workstation and Server. [Q218473: Restricting Changes to Base System Objects]
Protection: Windows NT Service Pack 4 and Smss-fix add-on.
Screen Saver Attack
The Windows NT4.0 screen saver is launched during a user session with system-level privileges.
After the screen saver starts, the security context is immediately switched to the level corresponding to the given user.
There is no check for the success of such a switch.
If the security context switch is unsuccessful, the screen saver continues to work with system-level privileges.
The attack is applicable to Windows NT 4.0 Workstation and Server Service Pack 4. [Q221991: Screen Saver Vulnerability Lets User Privileges be Elevated].
Protection: Windows NT Service Pack 4 and ScrnSav-fix add-on.
Mail Relaying Attack
Mail exchange tools using the SMTP protocol must provide protection against unauthorized use of mail servers to send letters with forged original address parts (mail relaying).
Exchange Server provides protection against these attacks, but no checks are performed when encapsulated SMTP addresses are used to exchange email messages.
Attackers can use this vulnerability to send messages on behalf of a mail server running Exchange Server by encapsulating SMTP addresses with a forged original address part.
The attack applies to Exchange Server. [Q237927: XIMS: Messages Sent to Encapsulated SMTP Address Are Rerouted Even Though Rerouting Is Disabled]
Protection: Exchange Server Service Pack 2 and imc-fix add-on.
Attack using the IGMP protocol
Receiving specially prepared fragmented packets via the Internet Group Management Protocol (IGMP) significantly reduces performance and may cause the computer to freeze.
The attack applies to Windows NT 4.0 Workstation and Server Service Pack 5, Windows 95/98. [Q2383Z9: Malformed IGMP Packets May Promote «Denial of Service» Attack]
Protection: Windows NT Service Pack 5 and the IGMP-tix add-on.
Source-based routing attack-2
Service Pack 5 added the ability to disable IP packet routing in the Windows NT 4.0 TCP/IP stack implementation, where the decision on the route for delivering a response packet is made based on information specified by the received packet.
However, it is possible to bypass this limitation by sending specially crafted packets containing a specific or incorrect value of the delivery route pointer.
The vulnerability can be used to attack availability and, in some cases, integrity of information.
The need to mandatory disable source-based routing mode was justified in the SECT bulletin CA-95.01 (1995).
The attack is applicable to Windows NT 4.0 Workstation and Server Service Pack 5, Windows 95/98. [Q238453: Data in Route Pointer Field Can Bypass Source Routing Disable]
Protection: Windows NT Service Pack 5 and Spoof-fix add-on.
TCP connection serial port generator vulnerability
The vulnerability consists of the ability to predict the current sequence number of a data packet transmitted within an established TCP session, and, as a result, to perform unauthorized information exchange.
Using a TCP connection number generator with a «predictable» result can be used to successfully carry out attacks on the availability, integrity, and confidentiality of information.
The need for mandatory use of a TCP connection number generator with properties as close as possible to the calculation of random values was justified in the CERT bulletin CA-95.01 (1995).
The attack applies to Windows NT 4.0 Workstation and Server Service Pack 4. [Q243835: How to prevent Predictable TCP/IP Initial Sequence Numbers]
Protection: addition q243835.
Conclusions
Reliable protection against the attacks described above actually comes down to creating conditions under which their implementation becomes impossible or significantly more difficult.
p>
At the same time, the widespread use of adequate protective measures may be difficult for a number of reasons.
In order to partially or completely prevent attempts by intruders to exploit weaknesses in Windows NT, it is necessary to use means of controlling the transmission of potentially dangerous data packets.
p>
Such means are firewalls, which exercise control over information entering or leaving the organization's intranet and provide protection by analyzing data flows.
The use of certified firewalls allows you to protect data arrays stored and processed in networks running the Windows NT operating system.