lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 9 Nov 2011 16:16:56 +0100
From: GomoR <gomor-fd@...or.org>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Microsoft Windows vulnerability in TCP/IP
	Could Allow Remote Code Execution (2588516)

On Wed, Nov 09, 2011 at 06:45:59AM -0500, Dan Rosenberg wrote:
[..]
> While I'd love to see an exploit from a purely academic perspective,
> it doesn't appear that this is the type of bug where exploitation is
> going to be reliable enough to support a worm.  The reference counter
> in question is most likely 32 bits, but even giving the benefit of the
> doubt and saying it's a 16-bit refcount, that's still 2^16 events
> (probably receiving a certain UDP packet) that need to be triggered
> precisely in order to cause a refcount overflow and then trigger a
> remote kernel use-after-free condition, which wouldn't be trivial to
> exploit even by itself.  On an unreliable network like the Internet,
> it seems unlikely that the kind of traffic volume required to trigger
> this bug could be generated without dropping a single packet.
> Reliable DoS seems more likely though.

I would love to hear about results running this exploit/PoC/whatever 
against a xBSD TCP/IP stack.

Microsoft Windows TCP/IP stack looks so BSDish to me since Windows Vista.

But that's probably because they "rewrote" it completely at that 
time (with integration of their "new" IPv6 stack also).

Joke: "Chuck Norris can exploit sockets that aren't even listening."

-- 
  ^  ___  ___             http://www.GomoR.org/          <-+
  | / __ |__/            Senior Security Engineer          |
  | \__/ |  \     ---[ zsh$ alias psed='perl -pe ' ]---    |
  +-->  Net::Frame <=> http://search.cpan.org/~gomor/  <---+

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ