[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4EBA7BEE.2020004@propergander.org.uk>
Date: Wed, 09 Nov 2011 13:11:10 +0000
From: Dave <mrx@...pergander.org.uk>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Microsoft Windows vulnerability in TCP/IP
Could Allow Remote Code Execution (2588516)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/11/2011 11:45, Dan Rosenberg wrote:
> On Wed, Nov 9, 2011 at 6:25 AM, Darren Martyn
> <d.martyn.fulldisclosure@...il.com> wrote:
>> Balls, I forgot to add this to the last message, but has anyone examined the
>> patch yet? I can only imagine it would be VERY interesting to look at...
>> <sarcasm> Or that it opens all UDP ports so that there are no closed ones to
>> exploit </sarcasm>
>>
>
> Yet another bug class (refcount overflows) that the PaX Team
> eradicated years ago and everyone else is still scrambling to catch
> up.
>
> People seem incredulous that the bug can be triggered by sending
> traffic to closed ports. Keep in mind that the only way your
> networking stack knows to reject packets that are directed towards
> closed ports is to do some preliminary parsing of those packets,
> namely allocating some control structures, receiving at least the
> physical/link layer frame, IP header, and transport layer header, and
> parsing out the port and destination address. There's plenty of
> things that can go wrong before the kernel decides "this is for a port
> that's not open" and drops it, which appears to be what happened here.
> Doesn't make the bug any less terrible, but it's not quite as
> surprising as people seem to think.
Yes, I agree. The term "closed port" is somewhat misleading to those who have no idea of how a TCP/IP stack works.
What is surprising though is that this flaw exists in such a mature OS as Windows. But then again this is Microsoft we are talking about.
>> On Wed, Nov 9, 2011 at 11:22 AM, Darren Martyn
>> <d.martyn.fulldisclosure@...il.com> wrote:
>>>
>>> So... Another Conficker type worm possible from this bug if everyone cocks
>>> up and fails to patch?
>>>
>
> While I'd love to see an exploit from a purely academic perspective,
> it doesn't appear that this is the type of bug where exploitation is
> going to be reliable enough to support a worm. The reference counter
> in question is most likely 32 bits, but even giving the benefit of the
> doubt and saying it's a 16-bit refcount, that's still 2^16 events
> (probably receiving a certain UDP packet) that need to be triggered
> precisely in order to cause a refcount overflow and then trigger a
> remote kernel use-after-free condition, which wouldn't be trivial to
> exploit even by itself. On an unreliable network like the Internet,
> it seems unlikely that the kind of traffic volume required to trigger
> this bug could be generated without dropping a single packet.
> Reliable DoS seems more likely though.
>
> -Dan
>
>>> On Tue, Nov 8, 2011 at 10:10 PM, Nahuel Grisolia
>>> <nahuel.grisolia@...il.com> wrote:
>>>>
>>>> Kingcope, where's the exploit?
>>>>
>>>> :P
>>>>
>>>> On Nov 8, 2011, at 6:53 PM, Henri Salo wrote:
>>>>
>>>>> http://technet.microsoft.com/en-us/security/bulletin/ms11-083
>>>>>
>>>>> "The vulnerability could allow remote code execution if an attacker
>>>>> sends a continuous flow of specially crafted UDP packets to a closed port on
>>>>> a target system."
>>>>>
>>>>> Microsoft did it once again.
>>>>>
>>>>> - Henri Salo
>>>>>
>>>>> _______________________________________________
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>>
>>>
>>> --
>>> My Homepage :D
>>>
>>
>>
>>
>> --
>> My Homepage :D
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEVAwUBTrp77rIvn8UFHWSmAQLAoAf/SQFShTXjNjfclb73hs4z/RajsNJfzl5x
PIdT7N5q57Uzem1c7rvRoIPwF/Uv3wyL5qpyjq7USO4X/VhswlXgjVM022NPkCRE
uRV5/rES2lvBM7CVpJo/virO9qoKOs4VGzZK1GNbGyiE4PeCvzFZvyrtGHyEALc9
rDX00ZCo31O1xVP9M6X7g0il82x5LcDGpNQ5GZRFhpwfEkJeIZOIb80j90Y17Gu2
3fSFmFIHQRWT2vx3gEEi6PgI3rquQWKgS2RMLdBGigTJX5Sq2vD9RjT26enpRl4V
NO9BEBVm9/zdebCQ4ahfPrv+M9IZGxak6sQ+SB+mMaoukSFz8cqWsA==
=VEn4
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists