Flaws in SP2 security features, part II

From: Juergen Schmidt (ju_at_heisec.de)
Date: 11/16/04

  • Next message: Trustix Security Advisor: "TSLSA-2004-0058 - multi"
    Date: Tue, 16 Nov 2004 21:45:35 +0100 (CET)
    To: bugtraq@securityfocus.com, NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM, full-disclosure@lists.netsys.com
    
    

    Date: 16.11.2005
    Author: Juergen Schmidt, heise Security
    Original article: http://www.heise.de/security/artikel/53297
    German version: http://www.heise.de/security/news/meldung/53306

    Flaws in SP2 security features, part II

    With Service Pack 2 Microsoft introduced a couple of new security
    features. However, some of them suffer from implementation flaws.

    One of the new security features is the restricted access to raw sockets
    in SP2. By restricting the ability to send handcrafted packets, Microsoft
    wants to "limit the ability of malicious code to create distributed
    denial-of-service attacks and limit the ability to send spoofed packets"
    (see
    http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2netwk.mspx#EHAA).

    On the downside, a lot of tools, we use for our daily work, do not work
    with those restrictions -- or have to use strange workarounds. A lot of
    the features of the well known port scanner nmap did not work under
    Windows XP SP2 -- until Fyodor came up with writing raw ethernet frames
    instead of IP packets (which btw does not help on other transport mediums).

    The implementation of those restrictions on raw sockets contains at least
    one bug which makes them close to useless. They are coupled in some
    mysterious way to the firewall service. Issuing the command

    net stop SharedAccess

    stops the firewall and opens the access to raw sockets. You can test this
    easily by trying half open syn scans:

    nmap -sS [somehost]

    or spoofing IP adresses of UDP packets like in

    nmap -sU -S 1.2.3.4 -e eth0 [somehost]

    Neither command works with Windows XP SP2 and firewall enabled, but after
    you turn it off, they do.

    Microsoft has been informed about the problem and promised:

    "Even though we do not consider this a security vulnerability, Microsoft
    is committed to fixing this bug as quickly as is possible."

    The issue was brought to my attention by Holger Lembke who found it during
    his work on "3d traceroute" (http://www.d3tr.com).

    bye, ju

    --
    Juergen Schmidt                 heise Security          www.heisec.de
    Heise Zeitschriften Verlag,    Helstorferstr. 7,       D-30625 Hannover
    GPG-Key: 0x38EA4970,  5D7B 476D 84D5 94FF E7C5  67BE F895 0A18 38EA 4970
    

  • Next message: Trustix Security Advisor: "TSLSA-2004-0058 - multi"

    Relevant Pages

    • Flaws in SP2 security features, part II
      ... Flaws in SP2 security features, ... One of the new security features is the restricted access to raw sockets ... By restricting the ability to send handcrafted packets, Microsoft ...
      (NT-Bugtraq)
    • Flaws in SP2 security features, part II
      ... Flaws in SP2 security features, ... One of the new security features is the restricted access to raw sockets ... By restricting the ability to send handcrafted packets, Microsoft ...
      (Full-Disclosure)
    • [Full-Disclosure] Flaws in SP2 security features, part II
      ... Flaws in SP2 security features, ... One of the new security features is the restricted access to raw sockets ... By restricting the ability to send handcrafted packets, Microsoft ...
      (Full-Disclosure)
    • Re: Have PopUps gotten smarter?
      ... The one built into SP2 works fairly well. ... Tip for antivirus. ... Microsoft has these suggestions for Protecting your computer from the ... I'll mainly work around Windows XP, as that is what the bulk of this ...
      (microsoft.public.windowsxp.security_admin)
    • Re: CD & DVD go BOOM after SP2 !!!!!!!!!!!
      ... I have found a "fix" to this problem brought on by the SP2 upgrade. ... Understand I got many e-mails from Microsoft Support, ...
      (microsoft.public.windowsupdate)