Re: Slashback!

[Curt Wilson <curtw () siu edu>]

byte_jump wrote:
> On 1/16/06, Dino A. Dai Zovi <ddz () theta44 org> wrote:
>
> > Do you know how the firewall identifies a "friendly" network?  Does
> > the firewall tap into the wireless layer in Windows to get out the
> > SSID and base station MAC address, or does it just verify the
> > subnet?  I don't actually "use" any of my windows boxes, so I have
> > never used this kind of stuff :).
>
>
>
>
> Doesn't Windows XP have file and print sharing enabled for the local
> network so folks can share printers and files? If it's not enabled by
> default I'm sure it is manually enabled often enough, and being on the
> same 169.254.0.0/16 network would allow attacks over SMB, right?

An XP box I'm working with seems to repeatedly re-create a global
firewall exclusion for file and print sharing at periodic intervals. I
had previously tweaked the exception list but it didn't seem to last. I
have not researched the behavior like I should have. I'd guess that if
an attacker could DoS a DHCP server, lots of MS boxen would end up in
the autoconfigure 169.254 range. Not sure if the autoconfigure
properties change any firewall exceptions, but it could be an
interesting although multi-stage attack.


-- 
Curt Wilson
IT Network Security Officer
Southern Illinois University Carbondale
618-453-6237

GnuPG key: http://www.infotech.siu.edu/security/curtw.pub.asc