Bugtraq mailing list archives
Re: Winsock 2.0 DoS
From: H.Karrenbeld () A1 NL (Henri Karrenbeld)
Date: Thu, 12 Mar 1998 14:05:44 +0100
At 21:24 11-03-98 -0500, you wrote:
If a user has the newest winsock patch for winsock 2.0, which can be located at : http://www.microsoft.com/windows95/info/ws2.htm and attempts to do an address lookup on a address which doesn't exist and is 13 characters long winsock will fault. This has been reproduced on several computers and it takes a couple of seconds of looking up to occur. This happens with every winsock program I've tested including Netscape 3, Ie 3.0, and MS ping. Example sites that work are: www.socois.cool www.pcorner.org blahd.yahoo.com This apparently only works on names that are exactly 13 characters long (not including periods). This is dangerous because web pages can simply redirect browswers to these pages or put img sources equal to nonexistent address entries which will crash winsock.
I can confirm this happens in the following configuration: Windows95 + SP1 + msdun12.exe + ws2setup.exe + vtcpup20.exe + vipup20.exe (patched in this order). Since ws2setup.exe essentially upgrades Win95 to OSR2 this should imply OSR2 is also vulnerable to this. The symptoms that I could see were the following: The application doing the DNS lookup (I used the lookup function of WSPING32 of WSFTP Pro) makes the entire system freeze. ALT-CTRL-DEL shows this application as 'not responding'. Killing the program off frees the system again. However most programs using winsock at the time, including network stuff started after that, lost the network. However, doing a 'ping' from the commandline with a numerical IP address still worked, so the stack doesn't appear to be entirely dead. However it looks like this is using a different part of the stack, because doing a manual 'ping' with the same address that knocked WSPING32 of its feet (blhad.yahoo.com) merely resulted in an 'unknown host' message. The problem does not occur when the network is not active at the moment the '13-char killer' is dropped. I _have_ to be dialed in to make it crash. So if you want to test your system be sure: 1) To test it with a Windows95 application: the command line utils don't crash the stack and neither does a crash influence them 2) You can unfreeze your system by killing off the offending application, for the network to come back you need to reboot though. Maybe simply getting rid of the TCP/IP stack, like by disabling the network card, would also help (can't test that here, no Ethernet at home ;-)) Could other people confirm the following: * Does this only happen with the newest WS2 or also with the one that comes wit the Winsock SDK that was released previously? * Does this also happen when vipupd20.exe and vtcpupd20.exe have not been used? If this is the case I am seriously considering downgrading back to winsock 1.1 $) Henri $) Henri
Current thread:
- Midnight Commander /tmp race, (continued)
- Midnight Commander /tmp race Michal Zalewski (Mar 15)
- Re: Midnight Commander /tmp race Pavel Kankovsky (Mar 17)
- Re: Midnight Commander /tmp race willy () SNOWYOWL CSU AC RU (Mar 17)
- Re: Midnight Commander /tmp race Pavel Kankovsky (Mar 18)
- Solaris printd security vulnerability Aleph One (Mar 11)
- Sun Security Bulletin #00165 Aleph One (Mar 11)
- Fwd: Sun Security Bulletin #00166 Tony Hagale (Mar 11)
- SLMail 2.6 DoS Steven (Mar 11)
- SLMail 2.6 DoS - Imail also Jon (Mar 11)
- Winsock 2.0 DoS John Robinson (Mar 11)
- Re: Winsock 2.0 DoS Henri Karrenbeld (Mar 12)
- more testing of Winsock 2.0 DoS Velocet (Mar 12)
- Re: Winsock 2.0 DoS stevep () ee pdx edu (Mar 12)
- InfoSecurity News jericho () DIMENSIONAL COM (Mar 13)
- Chase Bank joey.wheel (Mar 13)
- Win95 Winsock 2.0 DoS Russ (Mar 13)
- Problems with MDaemon 2.7.1 Development Team (Mar 12)
- FreeBSD Security Advisory: FreeBSD-SA-98:01.land Aleph One (Mar 12)
- FreeBSD Security Advisory: FreeBSD-SA-98:02.mmap Aleph One (Mar 12)
- SGI Security Advisory 19980301-01-PX - startmidi/stopmidi, SGI Security Coordinator (Mar 12)
- Winsock 2.0 DoS John Robinson (Mar 12)