Advisories : Vulnerability Report For Microsoft Windows NT 4.0 MSTask.exe code error

main menu

- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news

discussions

- read forum
- new topic
- search

meetings

- meetings list
- recent additions
- add your info

top 100 sites

- visit top sites
- sign up now
- members

webmasters

- add your url
- add domain
- search box
- link to us

projects

- our projects
- free email

m4d network

- security software
- secureroot
- m4d.com

Home : Advisories : Vulnerability Report For Microsoft Windows NT 4.0 MSTask.exe code error

Title:	Vulnerability Report For Microsoft Windows NT 4.0 MSTask.exe code error
Released by:
Date:	13th December 2000
Printable version:	Click here

Vulnerability Report For Microsoft Windows NT 4.0 MSTask.exe code error

Class: Unknown error

Remotely Exploitable: Yes

Locally Exploitable: Yes

Risk: Medium

Vendor status: Microsoft was notified on 7 December

Vulnerability Description:

MSTask.exe is an application that ships with the Windows NT 4.0

A strange behavior was discovered in the MSTask.exe code.

If exploited, this vulnerability allows and attacker to slow down

vulnerable Windows NT and sometimes to freeze it.

Vulnerable Packages/Systems:

Microsoft Windows NT 4.0 Workstation

other systems was not tested.

Solution/Vendor Information/Workaround:

No solution I have found yet.

Technical Description - Exploit/Concept Code:

It appears to me, from testing I have done, that MSTask.exe, usually

listening on TCP 1026 (or some high port) will cause memory to be consumed

if it is connected to and some random characters are sent to it. After such

a connection, eventually the machine will freeze. The only solution appears

to be a reboot.

MSTask.exe, however, only permits connections via the localhost, or

127.0.0.1, so on most systems such an attack would have to originate from

someone at the console (or connected via Terminal Server).

However, if WinGate or Winproxy installed on the system, system becames

vulnerable for remote attackers, because they can connect to system's 1026 tcp

port via wingate or winproxy, and connection will be accepted.

To reproduce the problem, use Winnt 4.0 Workstation.

Do the following:

1. Start telnet.exe

2. Menu->Connect->Remote System=127.0.0.1 , Port=1026

3. Press 'Connect' button

4. When it is connects, type some random characters and press enter.

5. Close telnet.exe.

Now you can see in taskmanager, that CPU usage is near 100% because of MSTask.exe.

Sometimes (not always) system halts, sometimes MStask.exe listens on 1027 port or higher.

I have tried to do this not only at my computer - it's always works.

Windows 95/98 not vulnerable, because they has no MSTask.exe :-)

Windows 2000 Enterprise Server has MSTask.exe and listens at 1026 port, but I dont check it.

Any updates for this information available at http://www.eng.securityelf.net/exploit.mstask.php4 .

...........................................................................

"Security/Elf.Net" Project - http://www.securityelf.net