lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20111109165156.GA4891@foo.fgeek.fi>
Date: Wed, 9 Nov 2011 18:51:56 +0200
From: Henri Salo <henri@...v.fi>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Microsoft Windows vulnerability in TCP/IP
 Could Allow Remote Code Execution (2588516)

On Wed, Nov 09, 2011 at 06:45:59AM -0500, Dan Rosenberg wrote:
> People seem incredulous that the bug can be triggered by sending
> traffic to closed ports.  Keep in mind that the only way your
> networking stack knows to reject packets that are directed towards
> closed ports is to do some preliminary parsing of those packets,
> namely allocating some control structures, receiving at least the
> physical/link layer frame, IP header, and transport layer header, and
> parsing out the port and destination address.  There's plenty of
> things that can go wrong before the kernel decides "this is for a port
> that's not open" and drops it, which appears to be what happened here.
>  Doesn't make the bug any less terrible, but it's not quite as
> surprising as people seem to think.

I am surprised about this, because Microsoft is definately lagging some level of testing and change management in critical code. How many servers are people using without networking these days. We do talk about remote execution vulnerable in something, which obviously might get unnoticed when we think of security audits, PCI and such. I wonder if integrated firewall in Windows could block this as Microsoft should do everything in their power to stop attacks in this security vulnerability.

Related picture: http://paste.nerv.fi/72975464-itbegins.jpeg

Best regards,
Henri Salo

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ