DOCUMENT:Q246045  08-MAY-2002  [winnt]
TITLE   :RFPoison: Denial of Service Attack Causes Access Violation
PRODUCT :Microsoft Windows NT
PROD/VER::4.0
OPER/SYS:
KEYWORDS:kberrmsg kbSecurity kbWinNT400PreSP7Fix kbgraphxlinkcritical

======================================================================
-------------------------------------------------------------------------------
The information in this article applies to:

 - Microsoft Windows NT Server version 4.0, Terminal Server Edition 
 - Microsoft Windows NT Server version 4.0 
 - Microsoft Windows NT Workstation version 4.0 
 - Microsoft Windows NT Server, Enterprise Edition version 4.0 
-------------------------------------------------------------------------------

SYMPTOMS
========

Windows NT clients are unable to gain access to shared file resources or make
other named pipe connections to a Windows NT-based server or workstation after
the following error message is generated by the Dr. Watson utility:

   Access violation c0000005 in Services.exe

CAUSE
=====

This behavior occurs because a malformed packet causes Srvsvc.dll to reference
an invalid memory location.

RESOLUTION
==========

Windows NT 4.0
--------------

To resolve this problem, obtain the individual package referenced below or obtain
the Windows NT 4.0 Security Rollup Package. For additional information on the
SRP, click the article number below to view the article in the Microsoft
Knowledge Base:

   Q299444 Post-Windows NT 4.0 Service Pack 6a Security Rollup Package (SRP)

The following files are available for download from the Microsoft Download
Center:

   Intel: DownloadDownload Q246045.exe now
   (http://www.microsoft.com/Downloads/Release.asp?ReleaseID=16382)
   Alpha: DownloadDownload Q246045.exe now
   (http://www.microsoft.com/Downloads/Release.asp?ReleaseID=16383)

For additional information about how to download Microsoft Support files, click
the article number below to view the article in the Microsoft Knowledge Base:

   Q119591 How to Obtain Microsoft Support Files from Online Services

Microsoft used the most current virus detection software available on the date of
posting to scan this file for viruses. After it is posted, the file is housed on
secure servers that prevent any unauthorized changes to the file.

The English-language version of this fix should have the following file
attributes or later:

   Date      Time                 Size     File name     Platform
   --------------------------------------------------------------
   11/22/1999 10:59a              146,704  Srvsvc.dll    Alpha
   11/22/1999 10:59a               99,600  Srvsvc.dll    i386



Microsoft Windows NT Server version 4.0, Terminal Server Edition
----------------------------------------------------------------

To resolve this problem, obtain the Windows NT Server 4.0, Terminal Server
Edition, Security Rollup Package (SRP). For additional information about the
SRP, click the article number below to view the article in the Microsoft
Knowledge Base:

   Q317636 Windows NT Server 4.0, Terminal Server Edition, Security Rollup
   Package

STATUS
======

Windows NT Server or Workstation 4.0
------------------------------------

Microsoft has confirmed this to be a problem in the Microsoft products that are
listed at the beginning of this article.

Windows NT Server 4.0, Terminal Server Edition
----------------------------------------------

Microsoft has confirmed this to be a problem in the Microsoft products that are
listed at the beginning of this article.

MORE INFORMATION
================

For more information on this vulnerability, see the following Microsoft Web
site:

   http://www.microsoft.com/technet/security/bulletin/ms99-055.asp

If you suspect that an RFPoison attack has occurred and your Dr. Watson
information is consistent with the attack, an analysis of the User.dmp log file
may confirm the attack. The User.dmp file is created in the %SystemRoot% folder
when Services.exe stops working if the Create Crash Dump File check box is
selected in Drwtsn32.exe.


Additional query words: security_patch RFPoison

======================================================================
Keywords          : kberrmsg kbSecurity kbWinNT400PreSP7Fix kbgraphxlinkcritical 
Technology        : kbWinNTsearch kbWinNTWsearch kbWinNTW400 kbWinNTW400search kbWinNT400search kbWinNTSsearch kbWinNTSEntSearch kbWinNTSEnt400 kbWinNTS400search kbWinNTS400 kbNTTermServ400 kbNTTermServSearch
Version           : :4.0
Hardware          : ALPHA x86
Issue type        : kbbug
Solution Type     : kbfix

=============================================================================

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND.  MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  IN NO
EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR
ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.  SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
SO THE FOREGOING LIMITATION MAY NOT APPLY.

Copyright Microsoft Corporation 2002.