Next Page >>
TCP/IP protocol suite
Infiltrated Networks Vulnerability Disclosure
TCP/IP is broken
Overview TCP/IP
Transmission Control Protocol/Internet Protocol is the basic
communication language or protocol of the Internet. It can also be used
as a communications protocol in a private network (either an intranet or
an extranet). When you are set up with direct access to the Internet,
your computer is provided with a copy of the TCP/IP program just as
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01414022
Version: 1
HPSBOV02278 SSRT071479 rev.1 - HP OpenVMS SSH Using TCP/IP Services for OpenVMS, Remote Unauthorized Access
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2008-03-27
Last Updated: 2008-03-27
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01523520
Version: 1
HPSBOV02357 SSRT080058 rev.1 - HP OpenVMS TCP/IP Services running BIND, Remote DNS Cache Poisoning
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2008-08-13
Last Updated: 2008-08-13
References: CVE-2007-2926
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
The following supported software versions are affected when running BIND v 9.2.1 or BIND v 9.3.1:
HP TCP/IP Services for OpenVMS Alpha v 5.4
HP TCP/IP Services for OpenVMS Alpha v 5.5
HP TCP/IP Services for OpenVMS Alpha v 5.6
HP TCP/IP Services for OpenVMS I64 v 5.5
HP TCP/IP Services for OpenVMS I64 v 5.6
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01835459
Version: 1
HPSBOV02452 SSRT090161 rev.1 - HP TCP/IP Services for OpenVMS BIND Server Remote Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2009-08-06
Last Updated: 2009-08-06
The motivation to produce this document is explained in the Preface of
the document as follows:
- ---- cut here ----
The TCP/IP protocol suite was conceived in an environment that was quite
different from the hostile environment they currently operate in.
However, the effectiveness of the protocols led to their early adoption
in production environments, to the point that to some extent, the
current world?s economy depends on them.
The motivation to produce this document is explained in the Preface of the
document as follows:
- ---- cut here ----
The TCP/IP protocols were conceived during a time that was quite different
from the hostile environment they operate in now. Yet a direct result of
their
effectiveness and widespread early adoption is that much of today's
global economy remains dependent upon them.
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c00571568
Version: 11
HPSBUX01137 SSRT5954 rev.11 - HP-UX Running TCP/IP (IPv4), Remote Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2005-04-24
Last Updated: 2007-10-03
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01961959
Version: 2
HPSBOV02497 SSRT090245 rev.2 - HP TCP/IP Services for OpenVMS Running NTP, Remote Execution of Arbitrary Code, Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-03-23
Last Updated: 2010-03-26
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01961959
Version: 3
HPSBOV02497 SSRT090245 rev.3 - HP TCP/IP Services for OpenVMS Running NTP, Remote Execution of Arbitrary Code, Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-05-17
Last Updated: 2010-05-17
http://www.whitewolfsecurity.com
August 21, 2008
Risk Level:
Medium - Full TCP/IP access via RNDIS protocol over USB from
Windows Mobile device.
Summary:
With the introduction of ActiveSync 4.x, Microsoft significantly
SF> http://www.whitewolfsecurity.com
SF> August 21, 2008
SF> Risk Level:
SF> Medium - Full TCP/IP access via RNDIS protocol over USB from
SF> Windows Mobile device.
SF> Summary:
SF> With the introduction of ActiveSync 4.x, Microsoft significantly
Details
=======
The Domain Name System is an integral part of networks that are based
on TCP/IP such as the Internet. Simply stated, the Domain Name System
is a hierarchical database that contains mappings of hostnames and IP
addresses. The DNS protocol is part of the TCP/IP protocol suite and
allows DNS clients to query the DNS database to resolve hostnames to IP
addresses.
*Vulnerability Description*
OpenBSD’s DHCP server, dhcpd, implements the Dynamic Host Configuration
Protocol (DHCP) [1] and the Internet Bootstrap Protocol (BOOTP) [2]. DHCP
allows hosts on a TCP/IP network to request and be assigned IP addresses,
and also to discover information about the network to which they are
attached. BOOTP provides similar functionality, with certain restrictions.
The DHCP protocol allows a host which is unknown to the network
administrator to be automatically assigned a new IP address out of a pool
This can be used for "blind TCP data injection" The latter term is a
technique described by Michal Zalewski, and the paper references 2
BugTraq submissions by Zalewski that nicely explain this concept. These
are (from the paper):
[27] “A new TCP/IP blind data injection technique?” (BugTraq mailing
list post),
Michal Zalewski, December 10th, 2003
http://www.securityfocus.com/archive/1/347130
[28] “Breaking the checksum (a new TCP/IP blind data injection technique)”
CORE FORCE is the first community oriented security solution for personal
computers that provides a comprehensive endpoint security solution for
Windows 2000 and Windows XP systems.
CORE FORCE provides inbound and outbound stateful packet filtering for
TCP/IP protocols using a Windows port of OpenBSD's PF firewall, granular
file system and registry access control and programs' integrity
validation. These capabilities can be configured and enforced system-wide
or on a per-application basis for specific programs such as email
readers, Web browsers, media players, messaging software, etc. The
security framework provided by CORE FORCE is leveraged by a community of
Robert E. Lee of Outpost24 has posted a new entry describing the recent state of TCP/IP issue,
i.e. discussion around the TCP/IP protocol stack Denial Of Service vulnerability.
There is a FAQ type section included too.
Link:
http://blog.robertlee.name/2008/10/more-detailed-response-to-gordons-post.html
Juha-Matti
>
> Discussion:
>
> Addonics NAS Adapter Post-Auth DoS
>
> Addonics NAS Adapter is prone to several post authentication buffer overflows. Each of these buffer overflows will crash the entire TCP/IP stack and the device will have to be power cycled to restore any functionality. Addonics currently has implemented GUI level (client side) controls for preventing long inputs, but by simply doing a direct HTTP GET request (the device doesn't use POST) this can be bypassed.
>
> Addonics was notified of the buffer overflows via ticket 497283 on March 25, 2009. Vendor acknowledgment on March 26, 2009.
>
> Exploiting these issues will crash the network stack and create a Denial of Service condition.
>
> to promises...
>
> So... with all this commentary, in the end, I still didn't read from the
> "big'uns" on whether or not a 3rd party open-source patch would be
> released... I sure miss the days that people back in the day who cared would
> :) In the end I realize, it sounds like a total over-haul of the TCP/IP
> stack is required; but does it really have to? Really?
>
> How effective is what Tom Grace suggests? Unless I'm misunderstanding, he's
> suggesting switching to an iptables based protection along with a registry
> tweak... ahh the good ol' batch firewall :) Would this actually work as a
- --------------------------------------------------------------------------
Package description:
fetchmail
Fetchmail is a remote mail retrieval and forwarding utility intended
for use over on-demand TCP/IP links, like SLIP or PPP connections.
Fetchmail supports every remote-mail protocol currently in use on the
Internet (POP2, POP3, RPOP, APOP, KPOP, all IMAPs, ESMTP ETRN, IPv6,
and IPSEC) for retrieval. Then Fetchmail forwards the mail through
SMTP so you can read it through your favorite mail client.
Discussion:
Addonics NAS Adapter Post-Auth DoS
Addonics NAS Adapter is prone to several post authentication buffer overflows. Each of these buffer overflows will crash the entire TCP/IP stack and the device will have to be power cycled to restore any functionality. Addonics currently has implemented GUI level (client side) controls for preventing long inputs, but by simply doing a direct HTTP GET request (the device doesn't use POST) this can be bypassed.
Addonics was notified of the buffer overflows via ticket 497283 on March 25, 2009. Vendor acknowledgment on March 26, 2009.
Exploiting these issues will crash the network stack and create a Denial of Service condition.
>Hasn't xp always sent out arp on non-assignment (and 2k) and 1918 is a straight grab when unassigned. I don't see a security issue here, you might want to expand on the Issue.
>
>------Original Message------
>From: wborskey@gmail.com
>To: bugtraq@securityfocus.com
>Subject: Widnows XP TCP/IP Stack Security Issue (ARP for non RFC 1918addresses)
>Sent: Apr 24, 2010 9:15 PM
>
>After putting the port my WAP is plugged into in a bridge group--cisco 2600--and rejecting traffic at layer two from an XP machine, I noticed some odd and insecure behavior. At this point I can only assume what is causing it.
>
>After adding the MAC of a machine with active tcp/ip sockets to public ip addresses an odd thing happened. Instead of sending out DNS requests to resolve the hosts, the XP machine started sending ARP requests but ARP requests for ip public addresses! For example it sent out ARP requests like "Who has 74.125.159.103". But not just once!
to promises...
So... with all this commentary, in the end, I still didn't read from the
"big'uns" on whether or not a 3rd party open-source patch would be
released... I sure miss the days that people back in the day who cared would
:) In the end I realize, it sounds like a total over-haul of the TCP/IP
stack is required; but does it really have to? Really?
How effective is what Tom Grace suggests? Unless I'm misunderstanding, he's
suggesting switching to an iptables based protection along with a registry
tweak... ahh the good ol' batch firewall :) Would this actually work as a
Hasn't xp always sent out arp on non-assignment (and 2k) and 1918 is a straight grab when unassigned. I don't see a security issue here, you might want to expand on the Issue.
------Original Message------
From: wborskey@gmail.com
To: bugtraq@securityfocus.com
Subject: Widnows XP TCP/IP Stack Security Issue (ARP for non RFC 1918addresses)
Sent: Apr 24, 2010 9:15 PM
After putting the port my WAP is plugged into in a bridge group--cisco 2600--and rejecting traffic at layer two from an XP machine, I noticed some odd and insecure behavior. At this point I can only assume what is causing it.
After adding the MAC of a machine with active tcp/ip sockets to public ip addresses an odd thing happened. Instead of sending out DNS requests to resolve the hosts, the XP machine started sending ARP requests but ARP requests for ip public addresses! For example it sent out ARP requests like "Who has 74.125.159.103". But not just once!
Hey Larry- hope everything's going well...
When you've got a systemic vulnerability, in this case the TCP/IP stack itself, exploitation information must be explicit and definitive. I'm fine with risk classification, and I appreciate efforts to categorize risk into manageable exposure metrics, but we shouldn't have to infer potential vulnerability information from vague disclosure data. I know many response teams base patch paths on the published severity, but one also has to be able to make decisions on their own. For me, no big deal. But it's not that simple for others.
But there's not enough information for me to make that call. Is it for ANY "listening service?" TCP or UPD? Does the "statefull" firewall introduced in subsequent versions stop it?
The answers are "yes," "yes," and "no." They should just say that. Is it "low" because the firewall doesn't have any exceptions by default? If so, that's silly. Everyone using XP for anything has incoming connections for something, and well known if on a domain. I feel sorry for Diebold and NEC with all the ATMs out there running XP, but fortunately, I'm not responsible for clients using their systems anymore :)
Anyway, the DoS suxx0rz, but I'm more irritated with the lack of real, straight-forward, no-nonsense information and technical sleight of hand. The information should be painfully obvious, not obviously painful.
Not Vulnerable:
Discussion:
Addonics NAS Adapter Post-Auth DoS
Addonics NAS Adapter is prone to several post authentication buffer overflows. Each of these buffer overflows will crash the entire TCP/IP stack and the device will have to be power cycled to restore any functionality. Addonics currently has implemented GUI level (client side) controls for preventing long inputs, but by simply doing a direct HTTP GET request (the device doesn't use POST) this can be bypassed.
Addonics was notified of the buffer overflows via ticket 497283 submitted Monday, February 09, 2009 at 6:03:35 PM. I called Addonics 3/4/09 at 12:44, told that they have confirmed the BoF condition, and engineers are working on a fix. They released an update that did not address the fix (NASU2FW41 Loader 1.17) which made the buffer 2 characters longer in order to crash except for the SMB password.
Exploiting these issues will crash the network stack and create a Denial of Service condition.
>>> So... with all this commentary, in the end, I still didn't read from
>>> the
>>> "big'uns" on whether or not a 3rd party open-source patch would be
>>> released... I sure miss the days that people back in the day who
>>> cared would
>>> :) In the end I realize, it sounds like a total over-haul of the TCP/IP
>>> stack is required; but does it really have to? Really?
>>>
>>> How effective is what Tom Grace suggests? Unless I'm
>>> misunderstanding, he's
>>> suggesting switching to an iptables based protection along with a
> to promises...
>
> So... with all this commentary, in the end, I still didn't read from the
> "big'uns" on whether or not a 3rd party open-source patch would be
> released... I sure miss the days that people back in the day who cared would
> :) In the end I realize, it sounds like a total over-haul of the TCP/IP
> stack is required; but does it really have to? Really?
>
> How effective is what Tom Grace suggests? Unless I'm misunderstanding, he's
> suggesting switching to an iptables based protection along with a registry
> tweak... ahh the good ol' batch firewall :) Would this actually work as a
Discovered By: Mike Arnold
Information:
NT_Naming_Service.exe (part of the License Manager for SAP Business One 2005) is vulnerable to a stack-based remote buffer overflow allowing for full system compromise by an unauthenticated user that has TCP/IP access to SAP's license service on TCP port 30000.
Sending a large GIOP request will cause a buffer overflow allowing for remote code execution.
NT_Naming_Service.exe runs with SYSTEM level privledges
DC 2008 Briefings & Training
February 18-21, Westin Washington DC City Center Focusing on Wireless and
Offensive security techniques with a larger training lineup.
New trainings include Defend the Flag by Microsoft, Side Channel Analysis
and Countermeasures by Riscure, and TCP/IP Weapons School: Black Hat Edition
by TaoSecurity.
Europe 2008 Briefings & Training
Now with three tracks per day of presentations and larger training lineup.
March 25-28, Moevenpick Hotel Amsterdam City Centre, the Netherlands New
Next Page>>
|
