Remote DoS released targets Windows Firewall/Internet Connection Sharing (ICS) service component

Published: 2006-10-29
Last Updated: 2006-10-30 11:31:29 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
We have received a report that a DoS exploit has been released that targets ipnathlp.dll, which is used by the Windows Firewall/Internet Connection Sharing (ICS) service. We also received a report that the exploit works against a fully patched XP SP2 system (Tyler Reguly of nCircle / blogs.nCircle.com submitted the report, some of his report information is below).

UPDATE Yesterday Tyler completed additional work and posted information at nCircle's blog, see his Microsoft ICS DoS FAQ

Thanks again Tyler.

Original Diary below;

The Windows Firewall/Internet Connection Sharing (ICS) service may be running even though Windows Firewall is disabled.

To determine if your system has the service running, type the following at a command prompt:

sc query sharedaccess

The short name of this service is SharedAccess, the full name is Windows Firewall/Internet Connection Sharing (ICS).

Tyler Reguly reported;

Microsoft Error Message:

Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for the inconvenience.
 
View What's in this report:

Error signature:
 
szAppName: svchost.exe szAppVer: 5.1.2600.2180
szModName: ipnathlp.dll szModVer 5.1.2600.2180 offset: 0001d45e

UPDATE - 1:16 PM EDST - Tyler reported that
only ICS was enabled, "the Firewall was disabled at the time.".

Thanks for the work and followup Tyler!

Other information;

UPDATE - 5:40 PM EDST - According to the MS Windows Compute Cluster Server 2003 Deployment
website, "Windows Compute Cluster Server 2003 relies on Internet Connection Sharing (ICS) to provide network address translation between the public and private networks. ICS also provides DHCP service for the private network. ICS is enabled during Compute Cluster Pack setup".

SharedAccess ? Windows Firewall/Internet Connection Sharing (ICS).

Provides network address translation, addressing, name resolution, and/or intrusion prevention services for a home or small office network.


Start mode: Auto
Login account: LocalSystem
DLL file: ipnathlp.dll
Dependencies: Netman, winmgmt

msdn
Diagram of Internet Connection Sharing and Internet Connection Firewall

Additional information will be added to this Diary as it is developed.

Keywords:
0 comment(s)

Comments


Diary Archives