lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: lists at g-clef.net (Aaron Gee-Clough)
Subject: OT microsoft "feature"

Jeffrey A.K. Dick wrote:

> "Anyone has a good explaination for this ? "
> 
> I'll leave it to you to decide if the explanation is good ...
> 
> "Windows NT utilities can accept Internet Protocol (IP) addresses comprised
> of decimal, octal, or hexadecimal numbers. This can cause confusion if you
> unintentionally use a leading zero in a decimal octet. With a leading zero,
> the number is resolved by these utilities as an octal number, thus
> specifying the wrong IP address. "
> 
> http://support.microsoft.com/default.aspx?scid=kb;en-us;115388

Interesting.  Of course, it's also a little bit...off:


C:\>ping 090.090.090.090

Pinging 72.72.72.72 with 32 bytes of data:

Request timed out.

Ping statistics for 72.72.72.72:
     Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
Approximate round trip times in milli-seconds:
     Minimum = 0ms, Maximum =  0ms, Average =  0ms
Control-C
^C
C:\>


If this were truly octal, 9's should be invalid (as should 8's). 
Instead, we have some base-10/base-8 hybrid that they decided to call 
"octal."

Note: Linux (RedHat and Debian, anyway) appear to do the "preceeding 
0=>octal" bit also, but they properly filter the 090 to be something 
unknown.

This really doesn't look like a security issue, though.  Just lazy 
coding.  (Feel free to prove me wrong.)

Aaron


Powered by blists - more mailing lists