Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

more testing of Winsock 2.0 DoS

From: mathboy () MOLOKA VELOCET CA (Velocet)
Date: Thu, 12 Mar 1998 14:29:22 -0500


From: John Robinson <johnr () CSH RIT EDU>

If a user has the newest winsock patch for winsock 2.0:
http://www.microsoft.com/windows95/info/ws2.htm

and attempts to do an address lookup on a address which doesn't exist
and is 13 characters long winsock will fault.


I thought this was a troll it seemed so ridiculous. Could MS be THAT
bad at coding *AND* testing?! To even attempt to fathom what kind of
coding resulted in this magic number popping up makes me shudder. I
investigated for myself (for once ;):

Disclaimer: This will probably end up coming out as gleeful M$-bashing
""""""""""" here, but last night I spent 5hrs working on a  proposal
bid, trying to think of why the client's insitence on "NT+IIS+MS SQL+
Coldfusion" was a worse idea than FreeBSD or BSDI, Apache 1.2.5,
PHP 3.0 and Postgres or Oracle, but I shuddered everytime I wrote the
first 4 letters of "FreeBSD" and imagined the questions we'll get if we
even make it to the prelim meetings. If you have any suggestions, feel
free to email me! :)

[ please see note re Unix+NT interop. mailing list proposal at bottom ]

------------------------------------------------------------------------------

Summary: My installation of Winsock 2.0 faults on 15 characters, not 13.
""""""""
         Going back to 1.1 with the scripts provided with the upgrade
         makes things ok again (tho you may be open to attacks (newTear?)
         that WS 2.0 'fixes').


== DETAILS, EXPLOITS, and NEW MAILING LIST PROPOSAL FOLLOW ====================

Exploits, Limitations and Further Investigation:
""""""""""""""""""""""""""""""""""""""""""""""""
  - Any exploit would need to cause the target machine to do a
    sort of lookup on a bogus domain name of the magic length
    (successful exploits would include all lengths of name from
     9 to many (32?) characters to be sure).

  - This could include sending email with a URL or embedded image
    tag to someone, or seeding your webpage with bogus hostnames
    of 9-32 characters length.

  - For now, I cant see any way of causing the exploit to
    occur on an UNATTENDED machine. The user must be lead to
    click on a URL either in email, or by visting a webpage.

    (Perhaps r00tshell or others can suggest a way a call to a
    remote Win95 box via SMB messages can cause a forward lookup
    on a bogus domain.)

  - I am not sure when Win95/SMB does 'reverse' lookups, but
    remember 'reverse' checks "*.in-addr.arpa", say for
    logging the hostname attached to an incoming IP to a Win95
    server app (War-FTPD, SMTPD, Personal Web Server, etc.)
      (eg: 24.in-addr.arpa may hose my box at 15 chars.)

    (Sorry just thot of this now and aint rebooting linux to check.)


Fixes: - DONT 'upgrade' to Winsock 2.0. If you have, downgrade.
"""""" - Do not be on a dedicated internet connection without a firewall
         and a sharp network admin responsible for it.


Commentary: This patch looks like its been out for a while now, and
""""""""""" there are faily good notes on how to install it, etc, on
MS's site. It doesnt say exactly what it fixes, if it protects against
Nuke, Tear or NewTear or any other recent attacks.

But, HOW THE HELL do they get away with this? The US is worried about
'cyberterrorism'? Well they should investigate MS for practices which
are putting the North American economy at undue risk of attack. If MS
is gonna push their marketing THAT hard, with a small country's worth
of money, such that they strongly affect they way an entire continent
does business, then they should be able to back it up with a quality
product that protects consumers and economic infrastructure. Instead,
businesses are left open to TRIVIALLY implimented and widespread
security attacks.

The government should begin investigating and applying penalties,
perhaps equally to all software development firms, at least starting
with internetworked operating systems.  (Or perhaps professional
engineering accreditations are starting to show their need in this
field. We dont like bridges collapsing, but do we like our intensive
care equipment software failing under a broken OS?)

If MS is going to enjoy what some proponents are terming "a natural
monopoly" (see recent Scientific American commentary re such), then
they should come under scrutiny for quality of service. Oh ya, they're
not a monopoly, and the market will realise who has the best product.
Not.  Will BYTE or PC Mag even mention this massive WS 2.0 gaffe? Will
the public care?

[rant off]

------------------------------------------------------------------------------

Methods:
""""""""
 - i wrote down a list of 14 hostnames, 2 different ones for each
   'length' of name including the '.'s, all assuredly bogus (j21kaa.foo
   for eg).

 - under the old winsock 1.1, I pung, telnetted and made IE 3.0 go visit
   each of the 14 names. No problems (host not found each time).

 - I ran ws2setup and the install ran fine. Then I hit the sites with
   ping, telnet and IE 3.0 again and laughed with a mix of
   self-righteousness and fear.

Observations:
"""""""""""""
  - At 15 characters ONLY on my system did the winsock stack get hosed
    under all of ping, telnet and IE 3.0.

  - Twice out of the 12 attempts and subsequent reboots did my entire
    Win95 just wedge right up to the mouse. Hard reset only option.

 ONCE Winsock 2.0 is HOSED:
  - In all cases, "shutting down my computer" left me with the shutdown
    screen, but did not reboot. I had to go thru scandisk each time.

  - In all cases, other networking apps were either hosed or partially
    functional. In many cases I can see data being lost with any app that
    calls Winsock after some other app hoses the stack (ie Word emailing
    out a document by itself, for eg, may hose itself and your changes
    after someone sends your Eudora some email with a bogus hostname link
    in it that you innocently clicked).

  - Launching new networkng apps brought up the blue screen each time,
    or did as soon as any networking related function was attempted.

    Many apps I never suspected of having any networking code in them
    seemed to be affected as well (I am not sure if this applies to all
    file open/save dialogues, which have Network.. access options in them.)


==============================================================================
WARNING: Non-direct bugtraq info here. Unix+NT interoperability mailing list
         proposal (or verification of prior existence) content follows.

Is there a support list out there to help make Unix-based solutions
match or best MS/NT based ones? There can sometimes be a large lack of
info out there on what is comparable between Unix and NT, and/or how
Unix can interface with NT or vice versa with various apps and servers.
(How does PHP mix with MS SQL for eg? Can Access talk to Postgres? etc.)

If this exists already, let me know please. If someone wants to start
this, or if I should, please email me. I wanna know what kind of
interest there is in this. I felt quite helpless trying to directly
challenge the proposal guidelines which said MS+NT all the way, no
substitutes accepted. I am sure this happens alot. Educating ourselves
is the first step to educating our clients.

I'd like to engender that quality in the list's charter as well, to avoid
MS bashing and instead focusing on facts and interoperability. MS bashing
would obviously lead us nowhere.

Email me: math @ velocet . ca

/kc
--
Ken Chase                                          Velocet Communications Inc.
math @ velocet.ca                          www.velocet.ca       Toronto CANADA
--
"Sometimes two [harmless] words, when put together, strike fear in the
  hearts of men -- Microsoft Wallet."                           - Dave Gilbert
Previous By Date Next
Previous By Thread Next

Current thread: