Full Disclosure mailing list archives
Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
From: Dave <mrx () propergander org uk>
Date: Wed, 09 Nov 2011 13:11:10 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/11/2011 11:45, Dan Rosenberg wrote:
On Wed, Nov 9, 2011 at 6:25 AM, Darren Martyn <d.martyn.fulldisclosure () gmail com> wrote:Balls, I forgot to add this to the last message, but has anyone examined the patch yet? I can only imagine it would be VERY interesting to look at... <sarcasm> Or that it opens all UDP ports so that there are no closed ones to exploit </sarcasm>Yet another bug class (refcount overflows) that the PaX Team eradicated years ago and everyone else is still scrambling to catch up. People seem incredulous that the bug can be triggered by sending traffic to closed ports. Keep in mind that the only way your networking stack knows to reject packets that are directed towards closed ports is to do some preliminary parsing of those packets, namely allocating some control structures, receiving at least the physical/link layer frame, IP header, and transport layer header, and parsing out the port and destination address. There's plenty of things that can go wrong before the kernel decides "this is for a port that's not open" and drops it, which appears to be what happened here. Doesn't make the bug any less terrible, but it's not quite as surprising as people seem to think.
Yes, I agree. The term "closed port" is somewhat misleading to those who have no idea of how a TCP/IP stack works. What is surprising though is that this flaw exists in such a mature OS as Windows. But then again this is Microsoft we are talking about.
On Wed, Nov 9, 2011 at 11:22 AM, Darren Martyn <d.martyn.fulldisclosure () gmail com> wrote:So... Another Conficker type worm possible from this bug if everyone cocks up and fails to patch?While I'd love to see an exploit from a purely academic perspective, it doesn't appear that this is the type of bug where exploitation is going to be reliable enough to support a worm. The reference counter in question is most likely 32 bits, but even giving the benefit of the doubt and saying it's a 16-bit refcount, that's still 2^16 events (probably receiving a certain UDP packet) that need to be triggered precisely in order to cause a refcount overflow and then trigger a remote kernel use-after-free condition, which wouldn't be trivial to exploit even by itself. On an unreliable network like the Internet, it seems unlikely that the kind of traffic volume required to trigger this bug could be generated without dropping a single packet. Reliable DoS seems more likely though. -DanOn Tue, Nov 8, 2011 at 10:10 PM, Nahuel Grisolia <nahuel.grisolia () gmail com> wrote:Kingcope, where's the exploit? :P On Nov 8, 2011, at 6:53 PM, Henri Salo wrote:http://technet.microsoft.com/en-us/security/bulletin/ms11-083 "The vulnerability could allow remote code execution if an attacker sends a continuous flow of specially crafted UDP packets to a closed port on a target system." Microsoft did it once again. - Henri Salo _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/-- My Homepage :D-- My Homepage :D _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEVAwUBTrp77rIvn8UFHWSmAQLAoAf/SQFShTXjNjfclb73hs4z/RajsNJfzl5x PIdT7N5q57Uzem1c7rvRoIPwF/Uv3wyL5qpyjq7USO4X/VhswlXgjVM022NPkCRE uRV5/rES2lvBM7CVpJo/virO9qoKOs4VGzZK1GNbGyiE4PeCvzFZvyrtGHyEALc9 rDX00ZCo31O1xVP9M6X7g0il82x5LcDGpNQ5GZRFhpwfEkJeIZOIb80j90Y17Gu2 3fSFmFIHQRWT2vx3gEEi6PgI3rquQWKgS2RMLdBGigTJX5Sq2vD9RjT26enpRl4V NO9BEBVm9/zdebCQ4ahfPrv+M9IZGxak6sQ+SB+mMaoukSFz8cqWsA== =VEn4 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) Henri Salo (Nov 08)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) Dan Dart (Nov 08)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) Nahuel Grisolia (Nov 09)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) Darren Martyn (Nov 09)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) Darren Martyn (Nov 09)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) xD 0x41 (Nov 09)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) Darren Martyn (Nov 09)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) xD 0x41 (Nov 09)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) Robert Kim App and Facebook Marketing (Nov 13)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) Darren Martyn (Nov 09)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) Dan Rosenberg (Nov 09)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) Dave (Nov 09)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) GomoR (Nov 09)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) Dan Dart (Nov 09)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) Henri Salo (Nov 09)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) Darren Martyn (Nov 09)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) xD 0x41 (Nov 09)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) Georgi Guninski (Nov 10)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) Thor (Hammer of God) (Nov 10)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) Sergito (Nov 11)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) xD 0x41 (Nov 10)