lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20030917171341.GA29621@alpha.home.local>
From: willy at w.ods.org (Willy Tarreau)
Subject: Re: Windows URG mystery solved!

On Wed, Sep 17, 2003 at 11:17:16AM +0200, Michal Zalewski wrote:
> 
> I finally have more details about the Windows URG pointer memory leak,
> first reported here:
> 
>   http://www.securityfocus.com/archive/82/335845/2003-08-31/2003-09-06/0
> 
> It is a vulnerability.
> 
> After a long and daunting hunt, I have determined that pretty much all
> up-to-date Windows 2000 and XP systems are vulnerable to the problem, and
> that it is not caused by any network devices en route or such, but the
> issue is present only in certain conditions.

Hello Michal,

I too discovered this strangeness on Monday, when a guy at work was using a
windows-based tool to scan for unpatched machines against the blaster worm.
My netfilter first logged 3 SYNs, and asked him why his tool was using URG
data, but then noticed that the URG flag wasn't set. He didn't know and
tried again to scan my linux box. I don't know what his tool was, but he
launched it from a blaster-patched WinXP box. This time, the URG pointer was
always 0. Then he scanned the whole network, and I saw non-null URG pointers
coming again to my box. Tcpdump clearly showed that the pointer was in the
packets, and was not invented by netfilter. So I concluded that his box was
leaking memory or doing something strange.

I can ask him the exact windows version, and even some more tests if anyone is
interested.

Regards,
Willy


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ