Recent Posts

Community

Email Notifications

Personal Links

Archives

Security Protection - Harry Waldron (CS)

Security Best Practices, Breaking News, & Updates

Windows XP - ICS DoS vulnerabilities and POC exploit

Below are additional links to follow-up on the earlier good info Bill and Richard shared with us over the weekend.

Microsoft Windows NAT Helper Components DNS Denial of Service Vulnerability
http://www.frsirt.com/english/advisories/2006/4248

QUOTE: A vulnerability has been identified in Microsoft Windows, which could be exploited by malicious users to cause a denial of service. This flaw is due to a NULL pointer dereference error in the NAT Helper Components ("ipnathlp.dll") when processing requests via the "DnsProcessQueryMessage()" and "NatCreateRedirect()" functions, which could be exploited by attackers on the LAN to crash the Service Host Process by sending a specially crafted DNS request to a vulnerable system with Internet Connection Sharing enabled.

Note : A proof of concept exploit has been published.

ISC: Remote DoS released targets Windows Firewall/Internet Connection Sharing (ICS) service component
http://www.incidents.org/diary.php?storyid=1809

Microsoft ICS DoS FAQ
http://blog.ncircle.com/archives/2006/10/microsoft_ics_d.htm

Am I vulnerable Checklist:
1) Are you running Windows XP
2) Are you sharing your internet connection?

If the answer is yes to both of those, then you are vulnerable.

Mitigation:
1) Disable Internet Connection Sharing.
2) Block UDP port 53 (DNS) on the computer that is sharing the internet, manually set the DNS Server to your ISPs DNS address.