Security Incidents mailing list archives
Re: Yahoo Messenger Stale Sessions
From: BANIER Jeremie <jeremie.banier () swift com>
Date: Thu, 14 Nov 2002 14:49:51 +0100
Hello, I believe switching on keep-alive would perhaps sove that one ... <knip> Windows 2000 TCP keep-alive behavior can be modified by changing the values of the KeepAliveTime and KeepAliveInterval registry entries (HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters). TCP keep-alives can be sent once for every interval specified by the value of KeepAliveTime (defaults to 7,200,000 milliseconds, or two hours) if no other data or higher level keep-alives have been carried over the TCP connection. If there is no response to a keep-alive, it is repeated once every interval specified by the value of KeepAliveInterval in seconds. By default, the KeepAliveInterval entry is set to a value of one second. </knip> Hope it helps, if not rebooot ;-) Jeremie Tat Wee Kan wrote:
----- Original Message ----- From: <Leonard.Ong () nokia com> To: <security-basics () securityfocus com>; <incidents () securityfocus com>; <bugtraq () securityfocus com> Sent: Monday, November 11, 2002 11:04 AM Subject: Yahoo Messenger Stale SessionsDuring my observation in daily use of Yahoo Messenger, my computer has"stale/zombie" sessions. For example, If i have received/message a friend, yahoo will normally make a direct connection from my PC to my friend. From Netstat result, you can see a high port on my computer is having an Established session with my peer's:5101 port.The issue is, after a contact has gone offline (dial-up), the stateestablished in the netstat will remain until the next day. I wouls see this as a vulnerabilities, since an arbitrary user can assume the IP Address was used (dial-up->dynamic ip assignment), and use this established session to assume it.Any idea ?Hmm, I'm not an expert in this, but I do realize if the 4-way handshake for terminating a connection is not done properly, e.g. the user switched off his dial-up modem abruptly, it would cause the "stale/zombie" sessions described as above. The dial-up machine will not have the opportunity to send the FIN to your machine. You probably need to know the sequence number, source port, destination port as well as source IP and destination IP (which you should know).
-- "Ok, so the servers are down, the lights are out, and all I have to work with is a roll of duct tape, a ball point pen, a lighter, and a twenty year old copy of emacs. Where's the problem? "
Attachment:
jeremie.banier.vcf
Description: Card for BANIER Jeremie
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: Yahoo Messenger Stale Sessions Leonard.Ong (Nov 13)
- RE: Yahoo Messenger Stale Sessions David Gillett (Nov 13)
- RE: Yahoo Messenger Stale Sessions John Fitzgerald (Nov 14)
- <Possible follow-ups>
- Re: Yahoo Messenger Stale Sessions BANIER Jeremie (Nov 14)
- RE: Yahoo Messenger Stale Sessions David Gillett (Nov 13)