DoS vulnerability in Windows Internet Connection Sharing
A single prepared packet is sufficient to crash the Windows Internet Connection Sharing (ICS) service. ICS is usually used to set up a networked Windows XP PC as an internet gateway for other Windows computers. The functions carried out by ICS include translation of public IP addresses to private IP addresses using Network Address Translation (NAT). Windows Compute Cluster Server 2003 also uses Internet Connection Sharing for address translation via NAT.
A null pointer dereference in the NAT helper component ipnathlp.dll means that DNS queries which contain two zero bytes in the Additional Resource Records cause the Service Host Process (svchost) to crash - which also crashes the Windows firewall, leaving the computer unprotected. The bug has been confirmed for a fully patched Windows XP SP2. It is not yet clear whether the bug is also present in the version of NAT helper used in Server 2003. A proof of concept exploit has already been published. No update is yet available. Because the attack would have to come from the LAN and the network behind the ICS gateway is usually fairly simple, the problem is relatively uncritical.
- Microsoft ICS DoS FAQ, blog entry by Tyler Reguly