Re: Yahoo Messenger Stale Sessions

From: BANIER Jeremie (jeremie.banier@swift.com)
Date: 11/14/02 

Date: Thu, 14 Nov 2002 14:49:51 +0100
From: BANIER Jeremie <jeremie.banier@swift.com>

Hello,
I believe switching on keep-alive would perhaps sove that one ...

<knip>
Windows 2000 TCP keep-alive behavior can be modified by changing the values of the KeepAliveTime and KeepAliveInterval registry
entries (HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters). TCP keep-alives can be sent once for every interval specified by
the value of KeepAliveTime (defaults to 7,200,000 milliseconds, or two hours) if no other data or higher level keep-alives have
been
carried over the TCP connection. If there is no response to a keep-alive, it is repeated once every interval specified by the value
of KeepAliveInterval in seconds. By default, the KeepAliveInterval entry is set to a value of one second.
</knip>

Hope it helps, if not rebooot ;-)
Jeremie

Tat Wee Kan wrote:

> ----- Original Message -----
> From: <Leonard.Ong@nokia.com>
> To: <security-basics@securityfocus.com>; <incidents@securityfocus.com>;
> <bugtraq@securityfocus.com>
> Sent: Monday, November 11, 2002 11:04 AM
> Subject: Yahoo Messenger Stale Sessions
>
> > During my observation in daily use of Yahoo Messenger, my computer has
> "stale/zombie" sessions. For example, If i have received/message a friend,
> yahoo will normally make a direct connection from my PC to my friend. From
> Netstat result, you can see a high port on my computer is having an
> Established session with my peer's:5101 port.
> >
> > The issue is, after a contact has gone offline (dial-up), the state
> established in the netstat will remain until the next day. I wouls see this
> as a vulnerabilities, since an arbitrary user can assume the IP Address was
> used (dial-up->dynamic ip assignment), and use this established session to
> assume it.
> >
> > Any idea ?
>
> Hmm, I'm not an expert in this, but I do realize if the 4-way handshake for
> terminating a connection is not done properly, e.g. the user switched off
> his dial-up modem abruptly, it would cause the "stale/zombie" sessions
> described as above. The dial-up machine will not have the opportunity to
> send the FIN to your machine.
>
> You probably need to know the sequence number, source port, destination port
> as well as source IP and destination IP (which you should know). 

--
"Ok, so the servers are down, the lights are out, and all I have to work
with is a roll of duct tape, a ball point pen, a lighter, and a twenty year
old copy of emacs.  Where's the problem? "

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com