Bugtraq mailing list archives
New M$ TCP/IP bug found.... got the NT Blue's yet?
From: kgibbs () BEST COM (Kelly E. Gibbs)
Date: Thu, 22 May 1997 16:40:43 -0700
I was testing a network where the packets were getting corrupted, between a Windows NT 3.51 client and a Windows 4.0 SP2 server (Looks like upgrading to SP3 makes no difference :-) ) As to the source of corruption, I haven't determined that yet, but that's another problem. The chances of this happening again are very slim, but for now I appreciate the source of corruption, where ever it is! The problem is that you can inject a packet with an invalid sequence number, invalid Window size announcement (let's say 62K), with the Urgent, FIN, RST, and a few other elements of the packet set just right, and guess what happends.......... the server will cease to accept data. Only the FIN, and ACK FIN make it; only if the next packet doesn't contain the right window size. If the next packet contains an invalid window size that is greater than the previous, then you can recreate the problem. So, for those who have routers who think that by closing access to port 139 is safe, think again. This works very well over port 80, or any port for that matter. I also tried this on several firewalls (without mentioning names), and it worked. Several UNIX firewalls however, denied that packet, but the NT firewalls that I tried all accepted it. Several other M$ TCP/IP implemention problems have surfaced, but I am looking into those now to validate them. As soon as I formalize my findings, guess you will be seeing another HotFix from M$. Kelly Gibbs, kgibbs () best com Internet Security Instructor Protocol Interface, Inc.
Current thread:
- OOB Bug stills persists after hot fix Matthew Dovey (May 17)
- <Possible follow-ups>
- Re: OOB Bug stills persists after hot fix Dan Freise (May 19)
- Re: OOB Bug stills persists after hot fix Ervin Fried (May 20)
- Re: OOB Bug stills persists after hot fix Ervin Fried (May 20)
- Re: OOB Bug stills persists after hot fix Ervin Fried (May 20)
- Re: OOB Bug stills persists after hot fix Ervin Fried (May 22)
- New M$ TCP/IP bug found.... got the NT Blue's yet? Kelly E. Gibbs (May 22)
- PMDF sendmail vulnerability Jonathan Rozes (May 23)
- Update to Windows 95 TCP/IP to Address Out-of-Band Issue Aleph One (May 23)
- [WinNT] Post-SP3 Hotfix Avail for Macintosh OOB DOS Attack Sam Schlansky (May 23)
- cfingerd vulnerability Rodrigo Barbosa (May 23)
- Re: cfingerd vulnerability Edward S. Marshall (May 24)
- Re: cfingerd vulnerability Ken Hollis (May 24)
- Re: cfingerd vulnerability Alan Brown (May 25)
- Re: cfingerd vulnerability Michael Stone (May 25)
- winnuke in one line of perl5.004 Randal Schwartz (May 25)
- Re: cfingerd vulnerability Felix von Leitner (May 25)