We have received a report that a DoS exploit has been released that targets ipnathlp.dll, which is used by the Windows Firewall/Internet Connection Sharing (ICS) service. We also received a report that the exploit works against a fully patched XP SP2 system (Tyler Reguly of nCircle / blogs.nCircle.com submitted the report, some of his report information is below).
UPDATE Yesterday Tyler completed additional work and posted information at nCircle's blog, see his Microsoft ICS DoS FAQ
Thanks again Tyler.
Original Diary below;
The Windows Firewall/Internet Connection Sharing (ICS) service may be running even though Windows Firewall is disabled.
To determine if your system has the service running, type the following at a command prompt:
sc query sharedaccess
The short name of this service is SharedAccess, the full name is Windows Firewall/Internet Connection Sharing (ICS).
Tyler Reguly reported;
Microsoft Error Message:
Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for the inconvenience.
View What's in this report:
szAppName: svchost.exe szAppVer: 5.1.2600.2180
szModName: ipnathlp.dll szModVer 5.1.2600.2180 offset: 0001d45e
UPDATE - 1:16 PM EDST - Tyler reported that only ICS was enabled, "the Firewall was disabled at the time.".
Thanks for the work and followup Tyler!
UPDATE - 5:40 PM EDST - According to the MS Windows Compute Cluster Server 2003 Deployment website, "Windows Compute Cluster Server 2003 relies on Internet Connection Sharing (ICS) to provide network address translation between the public and private networks. ICS also provides DHCP service for the private network. ICS is enabled during Compute Cluster Pack setup".
SharedAccess ? Windows Firewall/Internet Connection Sharing (ICS).
Provides network address translation, addressing, name resolution, and/or intrusion prevention services for a home or small office network.
Start mode: Auto
Login account: LocalSystem
DLL file: ipnathlp.dll
Dependencies: Netman, winmgmt
msdn Diagram of Internet Connection Sharing and Internet Connection Firewall
Additional information will be added to this Diary as it is developed.
Oct 29th 2006
1 decade ago