[NT] Etherleak Information Leak in Windows Server 2003 Drivers

From: SecuriTeam (support_at_securiteam.com)
Date: 06/09/03

  • Next message: SecuriTeam: "[EXPL] Apache 2.x APR Exploit Code" 
    To: list@securiteam.com
Date: 9 Jun 2003 20:49:19 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Latest attack techniques.

    You're a pen tester, but is google.com still your R&D team?
    Now you can get trustworthy commercial-grade exploits and the latest
    techniques from a world-class research group.

    Learn more at http://www.coresecurity.com/promos/sit_e1,
    or call 617-399-6980

    - - - - - - - - -

      Etherleak Information Leak in Windows Server 2003 Drivers
    ------------------------------------------------------------------------

    SUMMARY

    Several NIC device drivers that ship with Windows Server 2003 have been
    found to disclose information in a similar way to the 'Etherleak' frame
    padding issue announced by @Stake in January 2003. The original Etherleak
    paper and subsequent discussion was concerned with ICMP message padding.
    NGSSoftware Insight Security Research (NISR) has observed a similar issue
    within a TCP stream.

    DETAILS

    The original Etherleak paper from Ofir Arkin and Josh Anderson of @Stake
    (available at <http://www.securiteam.com/securitynews/5BP01208UO.html>
    Etherleak: Ethernet Frame Padding Information Leakage) concerns itself
    primarily with frame padding of ICMP messages with non-zero bytes; the
    padding bytes could potentially come from any area of physical memory.
    NISR have observed the issue within a TCP stream, particularly during the
    FIN-ACK exchange when a connection is gracefully closed. To date, NISR
    have not seen any discussion of Etherleak-style vulnerabilities within a
    TCP stream, only ICMP. It is possible that vendors are only testing for
    Ethernet frame padding issues within ICMP and are neglecting TCP.

    When the @Stake paper was released, Microsoft stated that tests would be
    added to the Microsoft driver certification program which specifically
    checked for this issue; NISR are releasing this advisory since there are
    multiple drivers shipped with Windows Server 2003 which are vulnerable and
    yet certified by Microsoft and included on the CD.

    Vulnerable drivers include:
     * VIA Rhine II Compatible network card (integrated into some
    motherboards).
     * AMD PCNet family network cards (Used by several versions of VMWare)

    Both drivers are digitally signed by the Microsoft Windows Publisher, and
    are included on the Windows Server 2003 CD. Both drivers exhibit the same
    behavior that of padding frames with arbitrary data. The FIN-ACK packets
    exchanged during the graceful close of a TCP connection are a particularly
    good source of information; several bytes of potentially sensitive data
    (including POP3 passwords) has been observed appended to the data portion
    of Ethernet frames sent by these cards.

    Fix Information:
    Microsoft's statement regarding this issue on the CERT website (available
    at <http://www.kb.cert.org/vuls/id/JPLA-5BGP7V>
    http://www.kb.cert.org/vuls/id/JPLA-5BGP7V) states:
    "Microsoft does not ship any Microsoft written drivers that contain the
    vulnerability. However, we have found some 3rd party drivers and samples
    in our documentation that, when compiled without alteration, could yield a
    driver that could contain this issue. We have made corrections to the
    samples in our documentation and are working with 3rd parties, and have
    included tests for this issue in our driver certification program."

    Since some network drivers that are certified by Microsoft in their latest
    release of Windows are still exhibiting these issues, NISR recommends that
    Microsoft certification be not taken as a guarantee of comprehensive
    testing. Instead, a list is provided by CERT at
    <http://www.kb.cert.org/vuls/id/412115>
    http://www.kb.cert.org/vuls/id/412115 of all related hardware and software
    vendors; we would recommend that customers refer to this list for the
    specific hardware vendor to determine exposure to this issue.
    Alternatively, contact the vendor of your networking hardware for further
    information.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:nisr@nextgenss.com>
    NGSSoftware Insight Security Research.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[EXPL] Apache 2.x APR Exploit Code"

    Relevant Pages