26th Sep 2002 [SBWID-5281]
LanMan DoS on port 445
Windows 2000 Server (SP0, SP1, SP2)
Windows 2000 Advanced Server (SP0, SP1, SP2)
Windows 2000 Professional (SP0, SP1, SP2)
In Peter Gründl [[email protected]] advisory [BUG-ID: 2002011] :
Sending malformed packets to the microsoft-ds port (TCP 445) can result
in kernel ressources being allocated by the LANMAN service. The
consequences of such an attack could vary from the Windows 2000 host
completely ignoring the attack to a blue screen.
An attack could be something as simple as sending a continuous stream
of 10k null chars to TCP port 445.
The most common symptoms would be that the LANMAN service would
allocate a lot of kernel memory, until a point, where very few
applications would be able to run. The routine that draws windows would
commence to draw incomplete windows, the warning "beep" would be
replaced by an error stating that the sound driver could not be loaded.
Internet Information Server would no longer be able to service .asp
pages, attempts to reboot the server (as administrator) would result in
the error "You do not have permissions to shutdown or restart this
It would frequently be possible to cause the system service to enter a
state where it constantly used 100% CPU usage. A PC was left in this
state over the weekend, to see if it would recover on it's own. It did