Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)

[GomoR <gomor-fd () gomor org>]

On Wed, Nov 09, 2011 at 06:45:59AM -0500, Dan Rosenberg wrote:
[..]
> While I'd love to see an exploit from a purely academic perspective,
> it doesn't appear that this is the type of bug where exploitation is
> going to be reliable enough to support a worm.  The reference counter
> in question is most likely 32 bits, but even giving the benefit of the
> doubt and saying it's a 16-bit refcount, that's still 2^16 events
> (probably receiving a certain UDP packet) that need to be triggered
> precisely in order to cause a refcount overflow and then trigger a
> remote kernel use-after-free condition, which wouldn't be trivial to
> exploit even by itself.  On an unreliable network like the Internet,
> it seems unlikely that the kind of traffic volume required to trigger
> this bug could be generated without dropping a single packet.
> Reliable DoS seems more likely though.

I would love to hear about results running this exploit/PoC/whatever 
against a xBSD TCP/IP stack.

Microsoft Windows TCP/IP stack looks so BSDish to me since Windows Vista.

But that's probably because they "rewrote" it completely at that 
time (with integration of their "new" IPv6 stack also).

Joke: "Chuck Norris can exploit sockets that aren't even listening."

-- 
  ^  ___  ___             http://www.GomoR.org/          <-+
  | / __ |__/            Senior Security Engineer          |
  | \__/ |  \     ---[ zsh$ alias psed='perl -pe ' ]---    |
  +-->  Net::Frame <=> http://search.cpan.org/~gomor/  <---+

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/