Re: Windows URG mystery solved!

[Willy Tarreau <willy () w ods org>]

On Wed, Sep 17, 2003 at 11:17:16AM +0200, Michal Zalewski wrote:
> I finally have more details about the Windows URG pointer memory leak,
> first reported here:
>
>   http://www.securityfocus.com/archive/82/335845/2003-08-31/2003-09-06/0
>
> It is a vulnerability.
>
> After a long and daunting hunt, I have determined that pretty much all
> up-to-date Windows 2000 and XP systems are vulnerable to the problem, and
> that it is not caused by any network devices en route or such, but the
> issue is present only in certain conditions.

Hello Michal,

I too discovered this strangeness on Monday, when a guy at work was using a
windows-based tool to scan for unpatched machines against the blaster worm.
My netfilter first logged 3 SYNs, and asked him why his tool was using URG
data, but then noticed that the URG flag wasn't set. He didn't know and
tried again to scan my linux box. I don't know what his tool was, but he
launched it from a blaster-patched WinXP box. This time, the URG pointer was
always 0. Then he scanned the whole network, and I saw non-null URG pointers
coming again to my box. Tcpdump clearly showed that the pointer was in the
packets, and was not invented by netfilter. So I concluded that his box was
leaking memory or doing something strange.

I can ask him the exact windows version, and even some more tests if anyone is
interested.

Regards,
Willy

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html