Etherleak information leak in Windows Server 2003 drivers
From: NGSSoftware Insight Security Research (nisr_at_NEXTGENSS.COM)
Date: 06/09/03
- Previous message: :: Operash ::: "[LeapFTP] "PASV" Reply Buffer Overflow Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 9 Jun 2003 13:40:50 +0100 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
NGSSoftware Insight Security Research Advisory
Name: Etherleak information leak in Windows Server 2003 drivers
Systems Affected: Windows Server 2003 (all versions)
Severity: Low/Medium Risk
Vendor URL: http://www.microsoft.com/windowsserver2003/
Author: Chris Paget (chrisp@ngssoftware.com)
Date: 9th June 2003
Advisory URL: http://www.nextgenss.com/advisories/etherleak-2003.txt
Advisory number: #NISR09062003
Description
***********
Several NIC device drivers that ship with Windows Server 2003 have
been found to disclose information in a similar way to the 'Etherleak'
frame padding issue announced by @Stake in January 2003. The original
Etherleak paper and subsequent discussion was concerned with ICMP
message padding; NGSSoftware Insight Security Research (NISR) have
observed a similar issue within a TCP stream.
Details
*******
The original Etherleak paper from Ofir Arkin and Josh Anderson of
@Stake (available at
http://www.atstake.com/research/advisories/2003/atstake_etherleak_report.pdf)
concerns itself primarily with frame padding of ICMP messages with
non-zero bytes; the padding bytes could potentially come from any area
of physical memory. NISR have observed the issue within a TCP stream,
particularly during the FIN-ACK exchange when a connection is
gracefully closed. To date, NISR have not seen any discussion of
Etherleak-style vulnerabilities within a TCP stream, only ICMP. It is
possible that vendors are only testing for ethernet frame padding
issues within ICMP and are neglecting TCP.
When the @Stake paper was released, Microsoft stated that tests would
be added to the Microsoft driver certification program which
specifically checked for this issue; NISR are releasing this advisory
since there are multiple drivers shipped with Windows Server 2003
which are vulnerable and yet certified by Microsoft and included on
the CD.
Vulnerable drivers include:
VIA Rhine II Compatible network card (integrated into some
motherboards).
AMD PCNet family network cards (Used by several versions of VMWare)
Both drivers are digitally signed by the Microsoft Windows Publisher,
and are included on the Windows Server 2003 CD. Both drivers exhibit
the same behaviour, that of padding frames with arbitrary data. The
FIN-ACK packets exchanged during the graceful close of a TCP
connection are a particularly good source of information; several
bytes of potentially sensitive data (including POP3 passwords) has
been observed appended to the data portion of Ethernet frames sent by
these cards.
Fix Information
***************
Microsoft's statement regarding this issue on the CERT website
(available at http://www.kb.cert.org/vuls/id/JPLA-5BGP7V) states:
"Microsoft does not ship any Microsoft written drivers that contain
the vulnerability. However, we have found some 3rd party drivers and
samples in our documentation that, when compiled without alteration,
could yield a driver that could contain this issue. We have made
corrections to the samples in our documentation and are working with
3rd parties, and have included tests for this issue in our driver
certification program."
Since some network drivers that are certified by Microsoft in their
latest release of Windows are still exhibiting these issues, NISR
recommends that Microsoft certification is not taken as a guarantee of
comprehensive testing. Instead, a list is provided by CERT at
http://www.kb.cert.org/vuls/id/412115 of all related hardware and
software vendors; we would recommend that customers refer to this list
for the specific hardware vendor to determine exposure to this issue.
Alternatively, contact the vendor of your networking hardware for
further information.
About NGSSoftware
*****************
NGSSoftware design, research and develop intelligent, advanced
application security assessment scanners. Based in the United Kingdom,
NGSSoftware have offices in the South of London and the East Coast of
Scotland. NGSSoftware's sister company NGSConsulting, offers best of
breed security consulting services, specialising in application, host
and network security assessments.
http://www.ngssoftware.com/
http://www.ngsconsulting.com/
Telephone +44 208 401 0070
Fax +44 208 401 0076
enquiries@ngssoftware.com
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by TruSecure
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Free 14-day trial of New Threat & Vulnerability Notification Service
TruSecure's new IntelliShield(tm) web-based threat and vulnerability
service isn't your typical alert service. Supported by TruSecure's vast
intelligence resources - including the ICSA Labs - IntelliShield's early
warning, analysis, decision support, and threat management tools provide
organizations with unmatched intelligence to better protect critical
information assets. Experience it for yourself - just click below to begin
your free, no obligation 14-day trial today!
http://www.trusecure.com/offer/s0074/
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
- Previous message: :: Operash ::: "[LeapFTP] "PASV" Reply Buffer Overflow Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
