NT and Win95 users beware!

Josh Hillman ( (no email) )
Sat, 10 May 1997 14:36:19 -0400

Nasty little flaw in NT and 95:

A friend of mine (who runs a unix-based ISP) forwarded this message (at the
end) to me a little while ago. I gave him permission to test it using my
home computer as a guinea pig (telling him what IP address I had assigned
to me at the time) while running in Windows 95 as well as running in NT
Server and both times, as soon as he ran the program from his unix machine,
my computer instantaly produced a "blue screen of death."

Windows 95 (4.0.950a):
BSOD stating that it might be possible to continue normally after hitting
any key. After hitting any key, it returned to Win95's explorer shell, but
all maximize, minimize, restore, scroll-arrow, start button were visually
missing (video had gotten corrupted.) My dialup networking connection was
still there, but I couldn't ping any IP addresses anymore.

Windows NT Server 4.0 SP2 with the various hot-fixes:
BSOD producing a memory dump, then automatically reboots the machine.
After NT reboots, CPU usages fluctuates erratically and all memory is
almost immediately consumed. After I rebooted the machine, everything went
back to normal.
Looking in the MEMORY.DMP file, it dit NOT display the IP address where the
"hack" originated from.

The program used to "kill" the 95 and NT machines was a small C program
compiled on a Unix system (in this particular case: "SunOS nexus 5.4
Generic_101945-43 sun4m sparc") but works on other Unix systems as well.

Unfortunately, this program was distributed this morning to all those that
subscribe to "bugtraq@netspace.org".

> ---------- Forwarded message ----------
> Date: Fri, 9 May 1997 22:11:55 -0400
> From: myst <myst@LIGHT-HOUSE.NET>
> To: BUGTRAQ@NETSPACE.ORG
> Subject: Windows 95/NT DoS
>
> Hello,
>
> It is possible to remotely cause denial of service to any windows
> 95/NT user. It is done by sending OOB [Out Of Band] data to an
> established connection you have with a windows user. NetBIOS [139] seems
> to be the most effective since this is a part of windows. Apparently
> windows doesn't know how to handle OOB, so it panics and crazy things
> happen. I have heard reports of everything from windows dropping carrier
> to the entire screen turning white. Windows also sometimes has trouble
> handling anything on a network at all after an attack like this. A
> reboot fixes whatever damage this causes.