DOCUMENT:Q236359
TITLE   :Denial of Service Attack Using Unprotected IOCTL Function Call
PRODUCT :Windows NT; Windows NT, Terminal Server Edition
PROD/VER:4.0
OPER/SYS:WINDOWS NT
KEYWORD :kbbug4.00 kbfix4.00 

-------------------------------------------------------------------------------
The information in this article applies to:

 - Microsoft Windows NT Workstation version 4.0 
 - Microsoft Windows NT Server version 4.0 
 - Microsoft Windows NT Server, Enterprise Edition version 4.0 
 - Microsoft Windows NT Server version 4.0, Terminal Server Edition 
-------------------------------------------------------------------------------

SYMPTOMS
========

When you run a program on a computer running Windows NT that contains an Input
Output Control (IOCTL) function call for the mouse or keyboard, the program may
prevent those input devices from responding to the operating system. A program
that improperly uses an Windows NT IOCTL function call may be employed to create
a denial of service attack on the computer by disabling the mouse and keyboard.

CAUSE
=====

This problem occurs because the IOCTLs for the mouse and keyboard are
unprotected and are available for use by all users, regardless of their security
privileges. Restarting the computer can correct the situation, but does not
prevent the program from being run again.

NOTE: This vulnerability does not allow any data to be compromised, nor does it
provide a way to bypass security and allow a user to elevate their security
privileges.

RESOLUTION
==========

Windows NT 4.0
--------------

A supported fix that corrects this problem is now available from Microsoft, but
it has not been fully regression tested and should be applied only to systems
experiencing this specific problem. If you are not severely affected by this
specific problem, Microsoft recommends that you wait for the next Windows NT 4.0
service pack that contains this fix.

To resolve this problem immediately, contact Microsoft Product Support Services
to obtain the fix. For a complete list of Microsoft Product Support Services
phone numbers and information on support costs, please go to the following
address on the World Wide Web:

   http://www.microsoft.com/support/supportnet/overview/overview.asp

The English version of this fix should have the following file attributes or
later:

   Date       Time     Size     File name      Platform
   -----------------------------------------------------
   06/29/99   02:53p    9,392   Kbdclass.sys   x86
   06/29/99   02:54p    9,488   Mouclass.sys   x86
  
   06/29/99   02:52p   13,904   Kbdclass.sys   Alpha
   06/29/99   02:53p   14,032   Mouclass.sys   Alpha

This hotfix has been posted to the following Internet location as Ioctlfxi.exe
and Ioctlfxa.exe:

   ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/
   Hotfixes-PostSP5/IOCTL-fix/

NOTE: If this product was already installed on your computer when you purchased
it from the Original Equipment Manufacturer (OEM) and you need this fix, please
call the Pay Per Incident number listed on the above Web site. If you contact
Microsoft to obtain this fix, and if it is determined that you only require the
fix you requested, no fee will be charged. However, if you request additional
technical support, and if your no-charge technical support period has expired,
or if you are not eligible for standard no-charge technical support, you may be
charged a non-refundable fee.

For more information about eligibility for no-charge technical support, see the
following article in the Microsoft Knowledge Base:

   Q154871 Determining If You Are Eligible for No-Charge Technical Support

Terminal Server
---------------

A supported fix that corrects this problem is now available from Microsoft, but
it has not been fully regression tested and should be applied only to systems
experiencing this specific problem. If you are not severely affected by this
specific problem, Microsoft recommends that you wait for the next Windows NT
4.0, Terminal Server Edition service pack that contains this fix.

To resolve this problem immediately, contact Microsoft Product Support Services
to obtain the fix. For a complete list of Microsoft Product Support Services
phone numbers and information on support costs, please go to the following
address on the World Wide Web:

   http://www.microsoft.com/support/supportnet/overview/overview.asp

The English version of this fix should have the following file attributes or
later:

   Date       Time     Size     File name      Platform
   -------------------------------------------------------------
   07/02/99   04:01p    9,360   Kbdclass.sys   x86
   07/02/99   04:01p    9,456   Mouclass.sys   x86

   07/02/99   04:04p   13,936   Kbdclass.sys   Alpha
   07/02/99   04:04p   14,064   Mouclass.sys   Alpha

This hotfix has been posted to the following Internet location as Ioctlfxi.exe
and Ioctlfxa.exe:

   ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40tse/
   Hotfixes-PostSP4/IOCTL-fix/

NOTE: If this product was already installed on your computer when you purchased
it from the Original Equipment Manufacturer (OEM) and you need this fix, please
call the Pay Per Incident number listed on the above Web site. If you contact
Microsoft to obtain this fix, and if it is determined that you only require the
fix you requested, no fee will be charged. However, if you request additional
technical support, and if your no-charge technical support period has expired,
or if you are not eligible for standard no-charge technical support, you may be
charged a non-refundable fee.

For more information about eligibility for no-charge technical support, see the
following article in the Microsoft Knowledge Base:

   Q154871 Determining If You Are Eligible for No-Charge Technical Support

WORKAROUND
==========

To work around this problem, follow normal recommended security practices to
prevent kiosk-type workstations from running unapproved programs. Servers should
generally allow only administrators to log on interactively and run programs.

STATUS
======

Microsoft has confirmed this to be a problem in the Microsoft products listed at
the beginning of this article.

MORE INFORMATION
================

Windows NT provides the ability for programs to directly request services of
device drivers. The interface through which this is done is called an Input
Output Control (IOCTL). Like all operating system services, some IOCTLs are
appropriate for normal users to use and others are reserved for privileged
users.

For computers runing Windows NT Workstation or Windows NT Server, this attack
prevents the mouse and keyboard from returning to service when a user logs off.
For example, if a kiosk workstation allows users to run a program arbitrarily,
or if a server allowed normal users to log on interactively and run a program
arbitrarily, a malicious user could disable the computer's keyboard and mouse
and prevent use of the computers until it had been restarted. For Windows NT
Server 4.0, Terminal Server Edition, this exploit disables not only the keyboard
and mouse on the local computer, but also those on the console. This would not
interfere with any of the ongoing terminal server sessions, but would still
require the computer to be restarted to gain control of the console.

For additional security-related information about Microsoft products, please
visit the following Microsoft Web site:

   http://www.microsoft.com/security/

Additional query words: 
============================================================================

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND.  MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  IN NO
EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR
ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.  SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
SO THE FOREGOING LIMITATION MAY NOT APPLY.