lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20111109151656.GA473@agathon.enslaved.lan> Date: Wed, 9 Nov 2011 16:16:56 +0100 From: GomoR <gomor-fd@...or.org> To: full-disclosure@...ts.grok.org.uk Subject: Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) On Wed, Nov 09, 2011 at 06:45:59AM -0500, Dan Rosenberg wrote: [..] > While I'd love to see an exploit from a purely academic perspective, > it doesn't appear that this is the type of bug where exploitation is > going to be reliable enough to support a worm. The reference counter > in question is most likely 32 bits, but even giving the benefit of the > doubt and saying it's a 16-bit refcount, that's still 2^16 events > (probably receiving a certain UDP packet) that need to be triggered > precisely in order to cause a refcount overflow and then trigger a > remote kernel use-after-free condition, which wouldn't be trivial to > exploit even by itself. On an unreliable network like the Internet, > it seems unlikely that the kind of traffic volume required to trigger > this bug could be generated without dropping a single packet. > Reliable DoS seems more likely though. I would love to hear about results running this exploit/PoC/whatever against a xBSD TCP/IP stack. Microsoft Windows TCP/IP stack looks so BSDish to me since Windows Vista. But that's probably because they "rewrote" it completely at that time (with integration of their "new" IPv6 stack also). Joke: "Chuck Norris can exploit sockets that aren't even listening." -- ^ ___ ___ http://www.GomoR.org/ <-+ | / __ |__/ Senior Security Engineer | | \__/ | \ ---[ zsh$ alias psed='perl -pe ' ]--- | +--> Net::Frame <=> http://search.cpan.org/~gomor/ <---+ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists