Full Disclosure mailing list archives
Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
From: GomoR <gomor-fd () gomor org>
Date: Wed, 9 Nov 2011 16:16:56 +0100
On Wed, Nov 09, 2011 at 06:45:59AM -0500, Dan Rosenberg wrote: [..]
While I'd love to see an exploit from a purely academic perspective, it doesn't appear that this is the type of bug where exploitation is going to be reliable enough to support a worm. The reference counter in question is most likely 32 bits, but even giving the benefit of the doubt and saying it's a 16-bit refcount, that's still 2^16 events (probably receiving a certain UDP packet) that need to be triggered precisely in order to cause a refcount overflow and then trigger a remote kernel use-after-free condition, which wouldn't be trivial to exploit even by itself. On an unreliable network like the Internet, it seems unlikely that the kind of traffic volume required to trigger this bug could be generated without dropping a single packet. Reliable DoS seems more likely though.
I would love to hear about results running this exploit/PoC/whatever against a xBSD TCP/IP stack. Microsoft Windows TCP/IP stack looks so BSDish to me since Windows Vista. But that's probably because they "rewrote" it completely at that time (with integration of their "new" IPv6 stack also). Joke: "Chuck Norris can exploit sockets that aren't even listening." -- ^ ___ ___ http://www.GomoR.org/ <-+ | / __ |__/ Senior Security Engineer | | \__/ | \ ---[ zsh$ alias psed='perl -pe ' ]--- | +--> Net::Frame <=> http://search.cpan.org/~gomor/ <---+ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516), (continued)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) Dan Dart (Nov 08)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) Nahuel Grisolia (Nov 09)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) Darren Martyn (Nov 09)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) Darren Martyn (Nov 09)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) xD 0x41 (Nov 09)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) Darren Martyn (Nov 09)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) xD 0x41 (Nov 09)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) Robert Kim App and Facebook Marketing (Nov 13)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) Darren Martyn (Nov 09)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) Dan Rosenberg (Nov 09)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) Dave (Nov 09)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) GomoR (Nov 09)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) Dan Dart (Nov 09)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) Henri Salo (Nov 09)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) Darren Martyn (Nov 09)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) xD 0x41 (Nov 09)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) Georgi Guninski (Nov 10)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) Thor (Hammer of God) (Nov 10)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) Sergito (Nov 11)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) xD 0x41 (Nov 10)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) Valdis . Kletnieks (Nov 10)