Flaws in SP2 security features, part II

From: Juergen Schmidt (ju_at_heisec.de)
Date: 11/16/04

  • Next message: Trustix Security Advisor: "TSLSA-2004-0058 - multi"
    Date: Tue, 16 Nov 2004 21:45:35 +0100 (CET)
    To: bugtraq@securityfocus.com, NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM, full-disclosure@lists.netsys.com

    Date: 16.11.2005
    Author: Juergen Schmidt, heise Security
    Original article: http://www.heise.de/security/artikel/53297
    German version: http://www.heise.de/security/news/meldung/53306

    Flaws in SP2 security features, part II

    With Service Pack 2 Microsoft introduced a couple of new security
    features. However, some of them suffer from implementation flaws.

    One of the new security features is the restricted access to raw sockets
    in SP2. By restricting the ability to send handcrafted packets, Microsoft
    wants to "limit the ability of malicious code to create distributed
    denial-of-service attacks and limit the ability to send spoofed packets"

    On the downside, a lot of tools, we use for our daily work, do not work
    with those restrictions -- or have to use strange workarounds. A lot of
    the features of the well known port scanner nmap did not work under
    Windows XP SP2 -- until Fyodor came up with writing raw ethernet frames
    instead of IP packets (which btw does not help on other transport mediums).

    The implementation of those restrictions on raw sockets contains at least
    one bug which makes them close to useless. They are coupled in some
    mysterious way to the firewall service. Issuing the command

    net stop SharedAccess

    stops the firewall and opens the access to raw sockets. You can test this
    easily by trying half open syn scans:

    nmap -sS [somehost]

    or spoofing IP adresses of UDP packets like in

    nmap -sU -S -e eth0 [somehost]

    Neither command works with Windows XP SP2 and firewall enabled, but after
    you turn it off, they do.

    Microsoft has been informed about the problem and promised:

    "Even though we do not consider this a security vulnerability, Microsoft
    is committed to fixing this bug as quickly as is possible."

    The issue was brought to my attention by Holger Lembke who found it during
    his work on "3d traceroute" (http://www.d3tr.com).

    bye, ju

    Juergen Schmidt                 heise Security          www.heisec.de
    Heise Zeitschriften Verlag,    Helstorferstr. 7,       D-30625 Hannover
    GPG-Key: 0x38EA4970,  5D7B 476D 84D5 94FF E7C5  67BE F895 0A18 38EA 4970

  • Next message: Trustix Security Advisor: "TSLSA-2004-0058 - multi"