[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20030917171341.GA29621@alpha.home.local>
Date: Wed, 17 Sep 2003 19:13:41 +0200
From: Willy Tarreau <willy@...ds.org>
To: Michal Zalewski <lcamtuf@...ne.ids.pl>
Cc: bugtraq@...urityfocus.com, vulnwatch@...nwatch.org,
full-disclosure@...sys.com
Subject: Re: Windows URG mystery solved!
On Wed, Sep 17, 2003 at 11:17:16AM +0200, Michal Zalewski wrote:
>
> I finally have more details about the Windows URG pointer memory leak,
> first reported here:
>
> http://www.securityfocus.com/archive/82/335845/2003-08-31/2003-09-06/0
>
> It is a vulnerability.
>
> After a long and daunting hunt, I have determined that pretty much all
> up-to-date Windows 2000 and XP systems are vulnerable to the problem, and
> that it is not caused by any network devices en route or such, but the
> issue is present only in certain conditions.
Hello Michal,
I too discovered this strangeness on Monday, when a guy at work was using a
windows-based tool to scan for unpatched machines against the blaster worm.
My netfilter first logged 3 SYNs, and asked him why his tool was using URG
data, but then noticed that the URG flag wasn't set. He didn't know and
tried again to scan my linux box. I don't know what his tool was, but he
launched it from a blaster-patched WinXP box. This time, the URG pointer was
always 0. Then he scanned the whole network, and I saw non-null URG pointers
coming again to my box. Tcpdump clearly showed that the pointer was in the
packets, and was not invented by netfilter. So I concluded that his box was
leaking memory or doing something strange.
I can ask him the exact windows version, and even some more tests if anyone is
interested.
Regards,
Willy
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists