Next Page >>
TCP/IP
Infiltrated Networks Vulnerability Disclosure
TCP/IP is broken
Overview TCP/IP
Transmission Control Protocol/Internet Protocol is the basic
communication language or protocol of the Internet. It can also be used
as a communications protocol in a private network (either an intranet or
an extranet). When you are set up with direct access to the Internet,
your computer is provided with a copy of the TCP/IP program just as
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01414022
Version: 1
HPSBOV02278 SSRT071479 rev.1 - HP OpenVMS SSH Using TCP/IP Services for OpenVMS, Remote Unauthorized Access
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2008-03-27
Last Updated: 2008-03-27
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01523520
Version: 1
HPSBOV02357 SSRT080058 rev.1 - HP OpenVMS TCP/IP Services running BIND, Remote DNS Cache Poisoning
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2008-08-13
Last Updated: 2008-08-13
References: CVE-2007-2926
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
The following supported software versions are affected when running BIND v 9.2.1 or BIND v 9.3.1:
HP TCP/IP Services for OpenVMS Alpha v 5.4
HP TCP/IP Services for OpenVMS Alpha v 5.5
HP TCP/IP Services for OpenVMS Alpha v 5.6
HP TCP/IP Services for OpenVMS I64 v 5.5
HP TCP/IP Services for OpenVMS I64 v 5.6
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01835459
Version: 1
HPSBOV02452 SSRT090161 rev.1 - HP TCP/IP Services for OpenVMS BIND Server Remote Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2009-08-06
Last Updated: 2009-08-06
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c00571568
Version: 11
HPSBUX01137 SSRT5954 rev.11 - HP-UX Running TCP/IP (IPv4), Remote Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2005-04-24
Last Updated: 2007-10-03
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01961959
Version: 3
HPSBOV02497 SSRT090245 rev.3 - HP TCP/IP Services for OpenVMS Running NTP, Remote Execution of Arbitrary Code, Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-05-17
Last Updated: 2010-05-17
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01961959
Version: 2
HPSBOV02497 SSRT090245 rev.2 - HP TCP/IP Services for OpenVMS Running NTP, Remote Execution of Arbitrary Code, Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-03-23
Last Updated: 2010-03-26
The motivation to produce this document is explained in the Preface of the
document as follows:
- ---- cut here ----
The TCP/IP protocols were conceived during a time that was quite different
from the hostile environment they operate in now. Yet a direct result of
their
effectiveness and widespread early adoption is that much of today's
global economy remains dependent upon them.
http://www.whitewolfsecurity.com
August 21, 2008
Risk Level:
Medium - Full TCP/IP access via RNDIS protocol over USB from
Windows Mobile device.
Summary:
With the introduction of ActiveSync 4.x, Microsoft significantly
The motivation to produce this document is explained in the Preface of
the document as follows:
- ---- cut here ----
The TCP/IP protocol suite was conceived in an environment that was quite
different from the hostile environment they currently operate in.
However, the effectiveness of the protocols led to their early adoption
in production environments, to the point that to some extent, the
current world?s economy depends on them.
SF> http://www.whitewolfsecurity.com
SF> August 21, 2008
SF> Risk Level:
SF> Medium - Full TCP/IP access via RNDIS protocol over USB from
SF> Windows Mobile device.
SF> Summary:
SF> With the introduction of ActiveSync 4.x, Microsoft significantly
New: BIO_printf(sbio,"STARTTLS\r\nRSET\r\n");
With this change, the s_client command sends the plaintext STARTTLS
command ("let's turn on TLS") immediately followed by an RSET command
(a relatively harmless protocol "reset"). Both commands are sent
as plaintext in the same TCP/IP packet, and arrive together at the
server. The "\r\n" are the carriage-return and newline characters;
these are necessary to terminate an SMTP command.
When an SMTP server has the plaintext injection flaw, it reads the
STARTTLS command first, switches to SMTP-over-TLS mode, and only
>Hasn't xp always sent out arp on non-assignment (and 2k) and 1918 is a straight grab when unassigned. I don't see a security issue here, you might want to expand on the Issue.
>
>------Original Message------
>From: wborskey@gmail.com
>To: bugtraq@securityfocus.com
>Subject: Widnows XP TCP/IP Stack Security Issue (ARP for non RFC 1918addresses)
>Sent: Apr 24, 2010 9:15 PM
>
>After putting the port my WAP is plugged into in a bridge group--cisco 2600--and rejecting traffic at layer two from an XP machine, I noticed some odd and insecure behavior. At this point I can only assume what is causing it.
>
>After adding the MAC of a machine with active tcp/ip sockets to public ip addresses an odd thing happened. Instead of sending out DNS requests to resolve the hosts, the XP machine started sending ARP requests but ARP requests for ip public addresses! For example it sent out ARP requests like "Who has 74.125.159.103". But not just once!
Details
=======
The Domain Name System is an integral part of networks that are based
on TCP/IP such as the Internet. Simply stated, the Domain Name System
is a hierarchical database that contains mappings of hostnames and IP
addresses. The DNS protocol is part of the TCP/IP protocol suite and
allows DNS clients to query the DNS database to resolve hostnames to IP
addresses.
> to promises...
>
> So... with all this commentary, in the end, I still didn't read from the
> "big'uns" on whether or not a 3rd party open-source patch would be
> released... I sure miss the days that people back in the day who cared would
> :) In the end I realize, it sounds like a total over-haul of the TCP/IP
> stack is required; but does it really have to? Really?
>
> How effective is what Tom Grace suggests? Unless I'm misunderstanding, he's
> suggesting switching to an iptables based protection along with a registry
> tweak... ahh the good ol' batch firewall :) Would this actually work as a
On Wed, Sep 14, 2011 at 5:13 AM, <fergal.cassidy@measuresoft.com> wrote:
Please take this constructively...
> The so called vulnerability in ScadaPro does not apply when the Windows firewall is enabled and under normal circumstances the TCP-IP port is not used to communicate with the ScadaPro service.
Measuresoft should not stake its security on the hopes that a firewall
is running. There will be plenty of folks who will do dumb things with
it.
> In the next release of ScadaPro the TCP/IP port will not be available and instead a secure web service will be available.
Hasn't xp always sent out arp on non-assignment (and 2k) and 1918 is a straight grab when unassigned. I don't see a security issue here, you might want to expand on the Issue.
------Original Message------
From: wborskey@gmail.com
To: bugtraq@securityfocus.com
Subject: Widnows XP TCP/IP Stack Security Issue (ARP for non RFC 1918addresses)
Sent: Apr 24, 2010 9:15 PM
After putting the port my WAP is plugged into in a bridge group--cisco 2600--and rejecting traffic at layer two from an XP machine, I noticed some odd and insecure behavior. At this point I can only assume what is causing it.
After adding the MAC of a machine with active tcp/ip sockets to public ip addresses an odd thing happened. Instead of sending out DNS requests to resolve the hosts, the XP machine started sending ARP requests but ARP requests for ip public addresses! For example it sent out ARP requests like "Who has 74.125.159.103". But not just once!
This can be used for "blind TCP data injection" The latter term is a
technique described by Michal Zalewski, and the paper references 2
BugTraq submissions by Zalewski that nicely explain this concept. These
are (from the paper):
[27] “A new TCP/IP blind data injection technique?” (BugTraq mailing
list post),
Michal Zalewski, December 10th, 2003
http://www.securityfocus.com/archive/1/347130
[28] “Breaking the checksum (a new TCP/IP blind data injection technique)”
The so called vulnerability in ScadaPro does not apply when the Windows firewall is enabled and under normal circumstances the TCP-IP port is not used to communicate with the ScadaPro service.
In the next release of ScadaPro the TCP/IP port will not be available and instead a secure web service will be available.
Also please note these tests were performed independently of Measuresoft on a demo version and without seeking or obtaining any advice from Measuresoft on how to securely deploy ScadaPro.
>>> So... with all this commentary, in the end, I still didn't read from
>>> the
>>> "big'uns" on whether or not a 3rd party open-source patch would be
>>> released... I sure miss the days that people back in the day who
>>> cared would
>>> :) In the end I realize, it sounds like a total over-haul of the TCP/IP
>>> stack is required; but does it really have to? Really?
>>>
>>> How effective is what Tom Grace suggests? Unless I'm
>>> misunderstanding, he's
>>> suggesting switching to an iptables based protection along with a
>
> Discussion:
>
> Addonics NAS Adapter Post-Auth DoS
>
> Addonics NAS Adapter is prone to several post authentication buffer overflows. Each of these buffer overflows will crash the entire TCP/IP stack and the device will have to be power cycled to restore any functionality. Addonics currently has implemented GUI level (client side) controls for preventing long inputs, but by simply doing a direct HTTP GET request (the device doesn't use POST) this can be bypassed.
>
> Addonics was notified of the buffer overflows via ticket 497283 on March 25, 2009. Vendor acknowledgment on March 26, 2009.
>
> Exploiting these issues will crash the network stack and create a Denial of Service condition.
>
Robert E. Lee of Outpost24 has posted a new entry describing the recent state of TCP/IP issue,
i.e. discussion around the TCP/IP protocol stack Denial Of Service vulnerability.
There is a FAQ type section included too.
Link:
http://blog.robertlee.name/2008/10/more-detailed-response-to-gordons-post.html
Juha-Matti
*Vulnerability Description*
OpenBSD’s DHCP server, dhcpd, implements the Dynamic Host Configuration
Protocol (DHCP) [1] and the Internet Bootstrap Protocol (BOOTP) [2]. DHCP
allows hosts on a TCP/IP network to request and be assigned IP addresses,
and also to discover information about the network to which they are
attached. BOOTP provides similar functionality, with certain restrictions.
The DHCP protocol allows a host which is unknown to the network
administrator to be automatically assigned a new IP address out of a pool
to promises...
So... with all this commentary, in the end, I still didn't read from the
"big'uns" on whether or not a 3rd party open-source patch would be
released... I sure miss the days that people back in the day who cared would
:) In the end I realize, it sounds like a total over-haul of the TCP/IP
stack is required; but does it really have to? Really?
How effective is what Tom Grace suggests? Unless I'm misunderstanding, he's
suggesting switching to an iptables based protection along with a registry
tweak... ahh the good ol' batch firewall :) Would this actually work as a
> to promises...
>
> So... with all this commentary, in the end, I still didn't read from the
> "big'uns" on whether or not a 3rd party open-source patch would be
> released... I sure miss the days that people back in the day who cared would
> :) In the end I realize, it sounds like a total over-haul of the TCP/IP
> stack is required; but does it really have to? Really?
>
> How effective is what Tom Grace suggests? Unless I'm misunderstanding, he's
> suggesting switching to an iptables based protection along with a registry
> tweak... ahh the good ol' batch firewall :) Would this actually work as a
-----Original Message-----
From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of J. Oquendo
Sent: Friday, April 01, 2011 10:52 AM
To: bugtraq@securityfocus.com
Cc: full-disclosure@lists.grok.org.uk
Subject: [Full-disclosure] Microsoft VISTA TCP/IP heap buffer underflow
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Not Vulnerable:
Discussion:
Addonics NAS Adapter Post-Auth DoS
Addonics NAS Adapter is prone to several post authentication buffer overflows. Each of these buffer overflows will crash the entire TCP/IP stack and the device will have to be power cycled to restore any functionality. Addonics currently has implemented GUI level (client side) controls for preventing long inputs, but by simply doing a direct HTTP GET request (the device doesn't use POST) this can be bypassed.
Addonics was notified of the buffer overflows via ticket 497283 submitted Monday, February 09, 2009 at 6:03:35 PM. I called Addonics 3/4/09 at 12:44, told that they have confirmed the BoF condition, and engineers are working on a fix. They released an update that did not address the fix (NASU2FW41 Loader 1.17) which made the buffer 2 characters longer in order to crash except for the SMB password.
Exploiting these issues will crash the network stack and create a Denial of Service condition.
CORE FORCE is the first community oriented security solution for personal
computers that provides a comprehensive endpoint security solution for
Windows 2000 and Windows XP systems.
CORE FORCE provides inbound and outbound stateful packet filtering for
TCP/IP protocols using a Windows port of OpenBSD's PF firewall, granular
file system and registry access control and programs' integrity
validation. These capabilities can be configured and enforced system-wide
or on a per-application basis for specific programs such as email
readers, Web browsers, media players, messaging software, etc. The
security framework provided by CORE FORCE is leveraged by a community of
Discussion:
Addonics NAS Adapter Post-Auth DoS
Addonics NAS Adapter is prone to several post authentication buffer overflows. Each of these buffer overflows will crash the entire TCP/IP stack and the device will have to be power cycled to restore any functionality. Addonics currently has implemented GUI level (client side) controls for preventing long inputs, but by simply doing a direct HTTP GET request (the device doesn't use POST) this can be bypassed.
Addonics was notified of the buffer overflows via ticket 497283 on March 25, 2009. Vendor acknowledgment on March 26, 2009.
Exploiting these issues will crash the network stack and create a Denial of Service condition.
Next Page>>
|
