DoS attack against computers running Microsoft NetMeeting (Additional details) ------------------------------------------------------------------------ SUMMARY NetMeeting is a free software product from Microsoft that allows real-time audio/video conferencing among peer computers. NetMeeting also contains a component known as Remote Desktop Sharing (RDS). RDS allows a technician to take remote control of computers for troubleshooting, etc. RDS has some uses that are similar to (but more limited than) Terminal Services, pcAnywhere, etc. A security problem in NetMeeting allows remote attackers to launch a Denial-of-Service attack against a NetMeeting server. This problem has been patched by Microsoft; for more information see our previous article: <http://www.securiteam.com/windowsntfocus/NetMeeting_Desktop_Sharing_vulnerability__Patch_available_.html> NetMeeting Desktop Sharing vulnerability (Patch available). DETAILS Vulnerable systems: NetMeeting 3.01 Steps to reproduce (exploit): In this example, my.unix.box.com represents the attacker, and helpless.victim.com represents the computer running NetMeeting in either client or RDS mode. Assuming you already have netcat installed on my.unix.box.com, enter the following command line: $ nc helpless.victim.com 1720 < /dev/zero At this point, CPU usage on the victim machine becomes elevated, depending on the speed of both machines, and the speed of the link between them. Now, terminate the netcat command with ^C. At this point, CPU on the victim machine hits 100% and stays there. If NetMeeting is running in client mode, it can (eventually) be terminated via the Task Manager on Windows 2000 or NT. If RDS is active, it may be necessary to use another tool (such as HandleEx) to terminate the RDS service; Task Manager may not have access to this process. If you are using RDS for remote server management, you may now need to make a road trip to the remote computer to restore functionality. -- Eko Sulistiono MIKRODATA & AntiVirus Media Web: http://www.mikrodata.co.id/ WAP: http://www.mikrodata.co.id/wap/index.wml This message contains no viruses. Guaranteed by AVP. ------------------------------------------------------------------------ Forum Komunikasi Penulis-Pembaca MIKRODATA (FKPPM) Informasi : http:[EMAIL PROTECTED] Arsip : http://www.mail-archive.com/forum%40mikrodata.co.id/ WAP : http://mikrodata.co.id/wap/index.wml Milis ini menjadi kontribusi beberapa rubrik yang diasuh tim MIKRODATA. Termasuk rubrik-rubrik yang ada di media lain. Memakai, Menyebarluaskan, dan Memperbanyak software bajakan adalah tindakan kriminal. Please check with the latest AVP update before you ask about virus: ftp://mikrodata.co.id/avirus_&_security/AntiViral_Toolkit_Pro/avp30.zip
