Re: Network shutdown caused by a port scanner. "DENIAL OF SEVICE"

Paul,

Thanks for the response. The operating system version is windows ce
5.0. I have installed the rollup up to 2008 but none of the individual QFEs
since then. I did read the list of fixes in each of them, and I don't
believe there are any that apply to a problem like this.

Catalog Items Included in the OS

Wired Local Area Network(802.3,802.5)
Internet Connection Sharing
Gateway Logging
NDIS Packet Capturing DLL
NDIS User Mode I/O Driver
Network Driver Architecture(NDIS)
Network Utilities
IP Configuration Utility
Network Statistics Utility
PING Network Diagnostic Utility
Sample APP for setting up a PPP
Traceroute Utility
Utility for displaying and configuring the IP routing table
Utility to configure IP v6 tunnels
TCP/IP
IP Helper API
TCP/IP Checksum
TCP/IP Checksum
TCP/IP Protocol
TCP/IP Protocol
Winsock Support
Servers
Core Server Support
FTP
Telnet
Web Server (HTTPD)

In addition the catalog items COM and DCOM were removed and replaced
with Minimal COM. Also the SNMP catalog item was removed.

The device is not a gateway? We do not use IPv6. I believe Internet
connection sharing is off, however since you mentioned it I did notice that
the catalog item is included in the Operating System Build.

When the problem occurs, the operating system and any services are the
only things running. I have prevented my application from loading in order
to narrow down the issue. My understanding is that would mean Telnet, HTTPD
and FTP. Plus I believe NETBIOS is automatically included as one of the
catalog items listed above.

I will try to contact NESSUS and find out how to get more information
from their program.

Thanks
Ken

"Paul G. Tobey [eMVP]" wrote:

device.exe is just the device manager, so that, by itself doesn't say
anything (every driver is loaded by that, so any driver crash will report
device.exe). ipnat.dll, if that's actually where the crash occurred
(0x00015c09 is a huge offset), might tell us something. You have installed
all of the QFEs for CE<yourversion> up to August 2008?

It's not really a denial of service hole, necessarily. It's simply that it
crashed a driver that you need in order to communicate on your network. I
guess it's possible that this is what it was trying to do, but it's just as
likely that it happened to send some data that ipnat, or whatever, didn't
handle properly. It could send it a packet that the device thinks it should
route, etc. Isn't there some way to have NESSUS step through various tests
one at a time so you could tell which one caused the failure and capture the
network data that triggered the crash?

Is this device configured as a gateway? Is Internet Connection Sharing on?
What network capabilities are in the OS? Are you using IPv6? Also, you
haven't told us even what version of Windows CE we're talking about!

Paul T.

"knk53" <knk53@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E3E9FD78-A6C2-453F-8073-2014A1CEE29F@xxxxxxxxxxxxxxxx

Recently we underwent some security testing with one of our customers. In
the process, the customer recommended that we use NESSUS to scan for any
vulnerabilities. There is an option in NESSUS to run a thorough scan of
the
system. When this scan runs I receive the following error from Windows
CE:

"Exception 00e Thread=83bb1800 Proc=43f951de 'device.exe AKY=ffffffff
PC=03e95c09 (ipnat.dll+0x00015c09) ESP=062df9c8 EA=0000000c"

Once I recieve this error, I can no longer access the device through the
network. It seems like this is a DENIAL OF SERVICE hole that is
uncovered.
Does anyone have any ideas how to track this down?


When I run netstat -N I can see that the following ports are open

TCP 21 FTP
TCP 23 TELNET
TCP 80 HTTP
TCP 443 HTTP

UDP 137 NETBIOS
UDP 138 NETBIOS
USP 161 ????

FTP, Telnet and HTTP were designed into the operating system. While I
believe they are security vulnerabilities, our customer was not concerned
with these ports. I did however, remove DCOM from the build and replace
it
with Minimal COM. I also completely removed SNMP from the build because
that
shows up with a security problem.

With only those ports reported as listening, what could cause the error
shown above???


Ken Kaplan





.

Relevant Pages
Loading