lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 9 Nov 2011 06:45:59 -0500
From: Dan Rosenberg <dan.j.rosenberg@...il.com>
To: Darren Martyn <d.martyn.fulldisclosure@...il.com>
Cc: full-disclosure@...ts.grok.org.uk,
	Nahuel Grisolia <nahuel.grisolia@...il.com>
Subject: Re: Microsoft Windows vulnerability in TCP/IP
 Could Allow Remote Code Execution (2588516)

On Wed, Nov 9, 2011 at 6:25 AM, Darren Martyn
<d.martyn.fulldisclosure@...il.com> wrote:
> Balls, I forgot to add this to the last message, but has anyone examined the
> patch yet? I can only imagine it would be VERY interesting to look at...
> <sarcasm> Or that it opens all UDP ports so that there are no closed ones to
> exploit </sarcasm>
>

Yet another bug class (refcount overflows) that the PaX Team
eradicated years ago and everyone else is still scrambling to catch
up.

People seem incredulous that the bug can be triggered by sending
traffic to closed ports.  Keep in mind that the only way your
networking stack knows to reject packets that are directed towards
closed ports is to do some preliminary parsing of those packets,
namely allocating some control structures, receiving at least the
physical/link layer frame, IP header, and transport layer header, and
parsing out the port and destination address.  There's plenty of
things that can go wrong before the kernel decides "this is for a port
that's not open" and drops it, which appears to be what happened here.
 Doesn't make the bug any less terrible, but it's not quite as
surprising as people seem to think.

> On Wed, Nov 9, 2011 at 11:22 AM, Darren Martyn
> <d.martyn.fulldisclosure@...il.com> wrote:
>>
>> So... Another Conficker type worm possible from this bug if everyone cocks
>> up and fails to patch?
>>

While I'd love to see an exploit from a purely academic perspective,
it doesn't appear that this is the type of bug where exploitation is
going to be reliable enough to support a worm.  The reference counter
in question is most likely 32 bits, but even giving the benefit of the
doubt and saying it's a 16-bit refcount, that's still 2^16 events
(probably receiving a certain UDP packet) that need to be triggered
precisely in order to cause a refcount overflow and then trigger a
remote kernel use-after-free condition, which wouldn't be trivial to
exploit even by itself.  On an unreliable network like the Internet,
it seems unlikely that the kind of traffic volume required to trigger
this bug could be generated without dropping a single packet.
Reliable DoS seems more likely though.

-Dan

>> On Tue, Nov 8, 2011 at 10:10 PM, Nahuel Grisolia
>> <nahuel.grisolia@...il.com> wrote:
>>>
>>> Kingcope, where's the exploit?
>>>
>>> :P
>>>
>>> On Nov 8, 2011, at 6:53 PM, Henri Salo wrote:
>>>
>>> > http://technet.microsoft.com/en-us/security/bulletin/ms11-083
>>> >
>>> > "The vulnerability could allow remote code execution if an attacker
>>> > sends a continuous flow of specially crafted UDP packets to a closed port on
>>> > a target system."
>>> >
>>> > Microsoft did it once again.
>>> >
>>> > - Henri Salo
>>> >
>>> > _______________________________________________
>>> > Full-Disclosure - We believe in it.
>>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> > Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
>>
>> --
>> My Homepage :D
>>
>
>
>
> --
> My Homepage :D
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists