<< Previous Next >>
TCP/IP protocol suite
The attacker just reads the memory and can then try to find cached
credentials or cryptographic keys (as described in the paper by Ed Felten
et al).
But let's take it further: Windows uses TCP/IP over IEEE 1394 in
standard setup, so after getting the cached credentials of an
Administrator from memory an attacker can successfully (I assume a
standard setup where the Windows firewall allows accesses from the own
subnet) mount \\target\C$ or \\target\ADMIN$ and thus read the files
on the disk. If only drive encryption is used, the files are decrypted
DC 2008 Briefings & Training
February 18-21, Westin Washington DC City Center
Focusing on Wireless and Offensive security techniques with a larger
training lineup.
New trainings include Defend the Flag by Microsoft, Side Channel Analysis
and Countermeasures by Riscure, and TCP/IP Weapons School: Black Hat Edition
by TaoSecurity.
Europe 2008 Briefings & Training
Now with three tracks per day of presentations and larger training lineup.
March 25-28, Moevenpick Hotel Amsterdam City Centre, the Netherlands New
DC 2008 Briefings & Training
February 18-21, Westin Washington DC City Center
Focusing on Wireless and Offensive security techniques with a larger
training lineup.
New trainings include Defend the Flag by Microsoft, Side Channel Analysis
and Countermeasures by Riscure, and TCP/IP Weapons School: Black Hat Edition
by TaoSecurity.
Europe 2008 Briefings & Training
Now with three tracks per day of presentations and larger training lineup.
March 25-28, Moevenpick Hotel Amsterdam City Centre, the Netherlands New
*Technical Description / Proof of Concept Code*
The CitectSCADA and CitectFacilities applications include ODBC server
capabilities to provide remote SQL access to a relational database. The
ODBC Server component listens on port 20222/tcp by default to service
requests from clients on TCP/IP networks. The application layer protocol
used over TCP reads an initial packet of 4 bytes that specifies the
length of data that follows in the next packet. A second packet of that
length with a 5-byte fixed header is then read from the same TCP socket.
Once this second packet is read from the network into a buffer, the data
it is then copied to an internal buffer of fixed size allocated in the
WonderWare offers software solutions in the areas of Production and
Performance Management, and Geographical SCADA and Supervisory HMI
(Human-Machine Interface). Several of these solutions running on
Microsoft Windows Operating Systems use a common software component, the
SuiteLink Service, to implement communications between components using
a proprietary protocol over TCP/IP networks.
A vulnerability was found in Wonderware SuiteLink Service ('slssvc.exe')
that could allow an un-authenticated remote attacker with the ability to
connect to the SuiteLink service TCP port to shutdown the service
abnormally by sending a malformed packet. Exploitation of the
>>>
>>> Reference:
>>>
>>>
>>>
>> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
>>
>>> hes_for_you_XP
>>>
>>> MS claims the patch would require to much overhaul of XP to make it
>>> worth it, and they may be right. Who knows how many applications
Vendor Response:
There is a security vulnerability that could allow for Denial of
Service (DoS) by sending a specifically crafted TCP/IP packet to the
mobile device. However most attempts to exploit this vulnerability
would result in a Denial of Service Condition on the networking
capabilities of the device.
The following devices may be vulnerable to this issue:
Other information:
* Default username and password is cmc
* Default administrator username/password is admin
* Device supports following protocols TCP/IP, SNMPv1, SNMPv3, FTP,
SFTP, SMTP, HTTPS, NTP, SSH, PPP, DHCP. Further research is
highly encouraged.
"Six pints of bitter. And quickly please, the world's about to end."
-------------------------------------------------
MS Patch - MS08-003 Vulnerability in Active Directory Could Allow Denial of Service (946538)
Analysis - SMA does not have this component. Patch will not run successfully.
Action - Customers should not be concerned with this issue
-------------------------------------------------
MS Patch - MS08-004 Vulnerability in Windows TCP/IP Could Allow Denial of Service (946456)
Analysis - SMA does not have this component. Patch will not run successfully.
Action - Customers should not be concerned with this issue
-------------------------------------------------
MS Patch - MS08-005 Vulnerability in Internet Information Services Could Allow Elevation of Privilege (942831)
Analysis - Possible security issue exists. Patch will run successfully.
HP strongly recommends the immediate installation of all security patches that apply to third party software which is integrated with SMA software products supplied by HP, and that patches are applied in accordance with an appropriate patch management policy.
NOTE: Patch installation instructions are shown at the end of this table.
-------------------------------------------------
MS Patch - MS08-001 Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (941644)
Analysis - Possible security issue exists. Patch will run successfully.
Action - For SMA v2.1, customers should download patch from Microsoft and install.
-------------------------------------------------
MS Patch - MS08-002 Vulnerability in LSASS Could Allow Local Elevation of Privilege (943485)
Analysis - Possible security issue exists. Patch will run successfully.
http://www.dataconline.com/software/realwin.php
"RealWin is a SCADA server product which includes a FlexView HMI and
runs on current Microsoft Windows platforms (2000 and XP). It can
operate on a single PC or multiple PCs connected through a TCP/IP
network. It reads and maintains data returned from field devices using
drivers, stores data for historical access, runs Command Sequence
Language (CSL) scripts and generates alarms as defined in the system."
---------------------------------
After putting the port my WAP is plugged into in a bridge group--cisco 2600--and rejecting traffic at layer two from an XP machine, I noticed some odd and insecure behavior. At this point I can only assume what is causing it.
After adding the MAC of a machine with active tcp/ip sockets to public ip addresses an odd thing happened. Instead of sending out DNS requests to resolve the hosts, the XP machine started sending ARP requests but ARP requests for ip public addresses! For example it sent out ARP requests like "Who has 74.125.159.103". But not just once!
The XP machine was using a self assigned 169.254.
Because the bridge group discard rule was discarding their traffic at layer 2. But somehow, I guess because it had open sockets to public IP addresses, it tried to ARP for those addresses to discover what network it was on an where to send the packets.
This is extremely dangerous for obvious reasons.
entomology@recurity-labs.com
Date: 09.09.2009
________________________________________________________________________
Vendor: Microsoft Corporation
Product: Microsoft Windows XP/Vista TCP/IP-Stack
Vulnerability: TCP/IP Orphaned Connections Vulnerability
Affected Releases: Windows Vista Business SP1/ Windows XP SP3
Severity: Moderate
CVE: CVE-2009-1926
________________________________________________________________________
Reference:
http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patches_for_you_XP
MS claims the patch would require to much overhaul of XP to make it
worth it, and they may be right. Who knows how many applications might
break that were designed for XP if they have to radically change the
TCP/IP stack. Now, I don't know if the MS speak is true, but it
certainly sounds like it is not going to be patched.
From vendor's website:
"MG-SOFT Net Inspector is a powerful fault management application with
alarming subsystem that complies with the international alarm reporting
recommendations (ITU X.733). The software lets you effectively monitor
the status of network devices and manage alarms associated with devices
in the supervised TCP/IP network."
#######################################################################
=======
> Cc: full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>
> Reference:
>
> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
> hes_for_you_XP
>
> MS claims the patch would require to much overhaul of XP to make it
> worth it, and they may be right. Who knows how many applications might
> break that were designed for XP if they have to radically change the
> After putting the port my WAP is plugged into in a bridge group--cisco
> 2600--and rejecting traffic at layer two from an XP machine, I noticed some
> odd and insecure behavior. At this point I can only assume what is causing
> it.
>
> After adding the MAC of a machine with active tcp/ip sockets to public ip
> addresses an odd thing happened. Instead of sending out DNS requests to
> resolve the hosts, the XP machine started sending ARP requests but ARP
> requests for ip public addresses! For example it sent out ARP requests like
> "Who has 74.125.159.103". But not just once!
>
Microsoft Security Bulletin MS09-048 - Critical: Vulnerabilities in
Windows TCP/IP Could Allow Remote Code Execution (967723):
http://www.microsoft.com/technet/security/Bulletin/MS09-048.mspx
<P><B>If Windows XP is listed as an affected product, why is Microsoft
not issuing an update for it?</B><BR>By default, Windows XP Service Pack
2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition
Service Pack 2 do not have a listening service configured in the client
firewall and are therefore not affected by this vulnerability. Windows
XP Service Pack 2 and later operating systems include a stateful host
to 'stall it'... thoughts/feedback?
APK
P.S.=> Also, "hardcoding" the TcpWindowSize & GlobalTcpWindowSize
settings in the registry in TCP/IP Parameters (see registry path above)
SHOULD also help here also, for servers that can accept MANY connections
from MANY clients, worldwide, as your specific constraints specify...
Thus, effectively stalling the ability to use TcpWindowScaling is
stopped by SynAttackProtect too, so an attacking system/app sending a
data such as the 'COMPUTERNAME' or the ciphered challenge/response.
Our proof of concept contemplates 2 possibilities:
1. The victim's machine is able to establish a connection to the port
445 (NetBIOS over TCP/IP) on the malicious server in which case the
correct 'USERNAME' can be obtained to build the right UNC path to the
'index.dat' file:
/-----------
Not Vulnerable:
Discussion:
The FTP server included with the Addonics NAS Adapter is vulnerable to 3 remote BoF conditions which result in a DoS and requires a device reboot as the entire tcp/ip stack is crashed.
Exploit:
http://milw0rm.com/exploits/8584
the RMDIR, Delete, Rename functions are all vulnerable.
exposure to the exploitation of these vulnerabilities from the
Internet or customer networks.
* Apply Transit Access Control Lists:
Apply access control lists (ACLs) on routers / switches /
firewalls installed in front of the vulnerable network devices
such that TCP/IP traffic destined for the CTX, CTX2500, XTC, TCC2
/TCC2+/TCC2P, or TSC control cards on the ONS is allowed only
from the network management workstations.
For examples on how to apply ACLs on Cisco routers, refer to the
white paper "Transit Access Control Lists: Filtering at Your
Edge", which is available at the following link:
>>>>> Reference:
>>>>>
>>>>>
>>>>>
>>>>>
>> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
>>
>>>>> hes_for_you_XP
>>>>>
>>>>> MS claims the patch would require to much overhaul of XP to make it
>>>>> worth it, and they may be right. Who knows how many applications
> >>> Reference:
> >>>
> >>>
> >>>
> >>
> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
> >>
> >>> hes_for_you_XP
> >>>
> >>> MS claims the patch would require to much overhaul of XP to make it
> >>> worth it, and they may be right. Who knows how many applications
phion Security Advisory 21/10/2008
Microsoft VISTA TCP/IP stack buffer overflow
Summary
-----------------------------
Microsoft Device IO Control wrapped by the iphlpapi.dll API shipping with Windows Vista 32 bit and 64 bit contains a possibly exploitable, buffer overflow corrupting kernel memory.
Affected Systems
-----------------------------
+#define NOFILE (sizeof(int) * 8)
+#endif
+#endif
+
/*
* Ops vector for TCP/IP based rpc service handle
*/
@@ -215,6 +223,19 @@
register SVCXPRT *xprt;
register struct tcp_conn *cd;
The attacker just reads the memory and can then try to find cached
credentials or cryptographic keys (as described in the paper by Ed Felten
et al).
But let's take it further: Windows uses TCP/IP over IEEE 1394 in
standard setup, so after getting the cached credentials of an
Administrator from memory an attacker can successfully (I assume a
standard setup where the Windows firewall allows accesses from the own
subnet) mount \\target\C$ or \\target\ADMIN$ and thus read the files
on the disk. If only drive encryption is used, the files are decrypted
> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>
> Reference:
>
>
http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
> hes_for_you_XP
>
> MS claims the patch would require to much overhaul of XP to make it
> worth it, and they may be right. Who knows how many applications
might
-------------------------------------------------
MS Patch - MS08-003 Vulnerability in Active Directory Could Allow Denial of Service (946538)
Analysis - SMA does not have this component. Patch will not run successfully.
Action - Customers should not be concerned with this issue
-------------------------------------------------
MS Patch - MS08-004 Vulnerability in Windows TCP/IP Could Allow Denial of Service (946456)
Analysis - SMA does not have this component. Patch will not run successfully.
Action - Customers should not be concerned with this issue
-------------------------------------------------
MS Patch - MS08-005 Vulnerability in Internet Information Services Could Allow Elevation of Privilege (942831)
Analysis - Possible security issue exists. Patch will run successfully.
> > Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
> >
> > Reference:
> >
> >
> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
> > hes_for_you_XP
> >
> > MS claims the patch would require to much overhaul of XP to make it
> > worth it, and they may be right. Who knows how many applications
> might
<<Previous Next>>
|
