Georgi Guninski security advisory #37, 2001 Windows client UDP exhaustion denial of service Systems affected: Windows 2000 Prof, Windows 98 probably other Windowses Risk: Low Date: 6 February 2001 Legal Notice: This Advisory is Copyright (c) 2001 Georgi Guninski. You may distribute it unmodified. You may not modify it and distribute it or distribute parts of it without the author's written permission. Disclaimer: The opinions expressed in this advisory and program are my own and not of any company. The usual standard disclaimer applies, especially the fact that Georgi Guninski is not liable for any damages caused by direct or indirect use of the information or functionality provided by this advisory or program. Georgi Guninski bears no responsibility for content or misuse of this advisory or program or any derivatives thereof. Description: It is possible a web page or email message to consume all the usable client UDP sockets on the computer running Windows. This leads to stopping client DNS resolution on Windows 2000 professional and stopping all new TCP connections on Windows 98. After closing the malicous application normal function of the system is restored though several machines spontaneously rebooted. It is interesting to note that Linux is not affected to this vulnerability as far as I tested. Details: This exploit uses java. The idea is quite simple - create as much UDP sockets (java.net.DatagramSocket) as possible. Other processes are prevented from creating new UDP sockets. The java code is: --------------------------------------------------------------------------- for(i=0;i<m;i++) { try { DatagramSocket d = new DatagramSocket();v.addElement(d);} catch (Exception e) {System.out.println("Exhausted, i="+i);} } --------------------------------------------------------------------------- Demonstration: http://www.guninski.com/winudpdos.html Vendor status: Microsoft was informed on 2 February 2001. Regards, Georgi Guninski http://www.guninski.com