Full Disclosure mailing list archives
Re: Windows URG mystery solved!
From: Willy Tarreau <willy () w ods org>
Date: Wed, 17 Sep 2003 19:13:41 +0200
On Wed, Sep 17, 2003 at 11:17:16AM +0200, Michal Zalewski wrote:
I finally have more details about the Windows URG pointer memory leak, first reported here: http://www.securityfocus.com/archive/82/335845/2003-08-31/2003-09-06/0 It is a vulnerability. After a long and daunting hunt, I have determined that pretty much all up-to-date Windows 2000 and XP systems are vulnerable to the problem, and that it is not caused by any network devices en route or such, but the issue is present only in certain conditions.
Hello Michal, I too discovered this strangeness on Monday, when a guy at work was using a windows-based tool to scan for unpatched machines against the blaster worm. My netfilter first logged 3 SYNs, and asked him why his tool was using URG data, but then noticed that the URG flag wasn't set. He didn't know and tried again to scan my linux box. I don't know what his tool was, but he launched it from a blaster-patched WinXP box. This time, the URG pointer was always 0. Then he scanned the whole network, and I saw non-null URG pointers coming again to my box. Tcpdump clearly showed that the pointer was in the packets, and was not invented by netfilter. So I concluded that his box was leaking memory or doing something strange. I can ask him the exact windows version, and even some more tests if anyone is interested. Regards, Willy _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Windows URG mystery solved! Michal Zalewski (Sep 17)
- Re: Windows URG mystery solved! Willy Tarreau (Sep 17)