lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: lists at (Aaron Gee-Clough)
Subject: OT microsoft "feature"

Jeffrey A.K. Dick wrote:

> "Anyone has a good explaination for this ? "
> I'll leave it to you to decide if the explanation is good ...
> "Windows NT utilities can accept Internet Protocol (IP) addresses comprised
> of decimal, octal, or hexadecimal numbers. This can cause confusion if you
> unintentionally use a leading zero in a decimal octet. With a leading zero,
> the number is resolved by these utilities as an octal number, thus
> specifying the wrong IP address. "

Interesting.  Of course, it's also a little


Pinging with 32 bytes of data:

Request timed out.

Ping statistics for
     Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
Approximate round trip times in milli-seconds:
     Minimum = 0ms, Maximum =  0ms, Average =  0ms

If this were truly octal, 9's should be invalid (as should 8's). 
Instead, we have some base-10/base-8 hybrid that they decided to call 

Note: Linux (RedHat and Debian, anyway) appear to do the "preceeding 
0=>octal" bit also, but they properly filter the 090 to be something 

This really doesn't look like a security issue, though.  Just lazy 
coding.  (Feel free to prove me wrong.)


Powered by blists - more mailing lists