lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <9iv8ev4takmgn858gd6plbcpesjk3pdve9@4ax.com>
Date: Mon, 09 Jun 2003 13:40:50 +0100
From: NGSSoftware Insight Security Research <nisr@...tgenss.com>
To: bugtraq@...urityfocus.com
Subject: Etherleak information leak in Windows Server 2003 drivers


NGSSoftware Insight Security Research Advisory

Name: Etherleak information leak in Windows Server 2003 drivers
Systems Affected: Windows Server 2003 (all versions)
Severity: Low/Medium Risk
Vendor URL: http://www.microsoft.com/windowsserver2003/
Author: Chris Paget (chrisp@...software.com)
Date: 9th June 2003
Advisory URL: http://www.nextgenss.com/advisories/etherleak-2003.txt
Advisory number: #NISR09062003


Description
***********
Several NIC device drivers that ship with Windows Server 2003 have
been found to disclose information in a similar way to the 'Etherleak'
frame padding issue announced by @Stake in January 2003.  The original
Etherleak paper and subsequent discussion was concerned with ICMP
message padding; NGSSoftware Insight Security Research (NISR) have
observed a similar issue within a TCP stream.


Details
*******
The original Etherleak paper from Ofir Arkin and Josh Anderson of
@Stake (available at
http://www.atstake.com/research/advisories/2003/atstake_etherleak_report.pdf)
concerns itself primarily with frame padding of ICMP messages with
non-zero bytes; the padding bytes could potentially come from any area
of physical memory.  NISR have observed the issue within a TCP stream,
particularly during the FIN-ACK exchange when a connection is
gracefully closed.  To date, NISR have not seen any discussion of
Etherleak-style vulnerabilities within a TCP stream, only ICMP.  It is
possible that vendors are only testing for ethernet frame padding
issues within ICMP and are neglecting TCP.

When the @Stake paper was released, Microsoft stated that tests would
be added to the Microsoft driver certification program which
specifically checked for this issue; NISR are releasing this advisory
since there are multiple drivers shipped with Windows Server 2003
which are vulnerable and yet certified by Microsoft and included on
the CD.  

Vulnerable drivers include:
VIA Rhine II Compatible network card (integrated into some
motherboards).
AMD PCNet family network cards (Used by several versions of VMWare)

Both drivers are digitally signed by the Microsoft Windows Publisher,
and are included on the Windows Server 2003 CD.  Both drivers exhibit
the same behaviour, that of padding frames with arbitrary data.  The
FIN-ACK packets exchanged during the graceful close of a TCP
connection are a particularly good source of information; several
bytes of potentially sensitive data (including POP3 passwords) has
been observed appended to the data portion of Ethernet frames sent by
these cards.


Fix Information
***************
Microsoft's statement regarding this issue on the CERT website
(available at http://www.kb.cert.org/vuls/id/JPLA-5BGP7V) states: 
"Microsoft does not ship any Microsoft written drivers that contain
the vulnerability. However, we have found some 3rd party drivers and
samples in our documentation that, when compiled without alteration,
could yield a driver that could contain this issue. We have made
corrections to the samples in our documentation and are working with
3rd parties, and have included tests for this issue in our driver
certification program."

Since some network drivers that are certified by Microsoft in their
latest release of Windows are still exhibiting these issues, NISR
recommends that Microsoft certification is not taken as a guarantee of
comprehensive testing.  Instead, a list is provided by CERT at 

http://www.kb.cert.org/vuls/id/412115 of all related hardware and
software vendors; we would recommend that customers refer to this list
for the specific hardware vendor to determine exposure to this issue.
Alternatively, contact the vendor of your networking hardware for
further information.


About NGSSoftware
*****************
NGSSoftware design, research and develop intelligent, advanced
application security assessment scanners. Based in the United Kingdom,
NGSSoftware have offices in the South of London and the East Coast of
Scotland. NGSSoftware's sister company NGSConsulting, offers best of
breed security consulting services, specialising in application, host
and network security assessments.

http://www.ngssoftware.com/
http://www.ngsconsulting.com/

Telephone +44 208 401 0070
Fax +44 208 401 0076

enquiries@...software.com


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ