Q179129: STOP 0x0000000A Due to Modified Teardrop Attack

Aleph One (aleph1@DFW.DFW.NET)
Mon, 12 Jan 1998 13:13:05 -0600

ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP3/teardrop2-fix/Q179129.txt

DOCUMENT:Q179129
TITLE :STOP 0x0000000A Due to Modified Teardrop Attack
PRODUCT :Microsoft Windows NT
PROD/VER:4.00
OPER/SYS:WINDOWS
KEYWORDS:kbbug4.00 kbfix4.00 kbfile NTSrvWkst nttcp kbenv

--------------------------------------------------------------------------
The information in this article applies to:

- Microsoft Windows NT Workstation version 4.0
- Microsoft Windows NT Server version 4.0
- Microsoft Windows NT Server Enterprise Edition version 4.0
--------------------------------------------------------------------------

SYMPTOMS
========

Windows NT may stop responding (hang) with a STOP 0x0000000A message after
receiving a number of deliberately corrupted UDP packets.

CAUSE
=====

This behavior occurs due to a variation of the "teardrop" attack. Windows
NT 4.0 with Service Pack 3 and the ICMP-fix is not susceptible to the
original form of the teardrop attack. For more information on the ICMP-fix,
please see the following article in the Microsoft Knowledge Base:

ARTICLE-ID: Q154174
TITLE : Invalid ICMP Datagram Fragments Hang Windows NT, Windows 95

The modified teardrop attack works by sending pairs of deliberately
constructed IP fragments which are reassembled into an invalid UDP
datagram. Overlapping offsets cause the second packet to overwrite data in
the middle of the UDP header contained in the first packet in such a way
that the datagrams are left incomplete.

As Windows NT receives these invalid datagrams, it allocates kernel memory.
If enough of these invalid datagrams are received Windows NT may hang with
a STOP 0x0000000A.

RESOLUTION
==========

To resolve this problem, obtain the following fix or wait for the next
Windows NT service pack.

This fix should have the following time stamp:

01/09/98 08:16a 143,664 Tcpip.sys (Intel)
01/09/98 08:13a 263,536 Tcpip.sys (Alpha)

This hotfix has been posted to the following Internet location:

ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/
hotfixes-postSP3/teardrop2-fix/

NOTE: This fix supercedes the ICMP-fix, the OOB-fix, and the Land-fix
hotfixes.

STATUS
======

Microsoft has confirmed this to be a problem in Windows NT version 4.0.
A supported fix is now available, but has not been fully regression-tested
and should be applied only to systems experiencing this specific problem.
Unless you are severely impacted by this specific problem, Microsoft
recommends that you wait for the next Service Pack that contains this fix.
Contact Microsoft Technical Support for more information.

============================================================================

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO
EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR
ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
SO THE FOREGOING LIMITATION MAY NOT APPLY.