Re: Widnows XP TCP/IP Stack Security Issue (ARP for non RFC 1918addresses)

[Dominik George <nik () naturalnet de>]

Huh?

This traffic will be discarded at the next hop. The machine has no default route, thus trying to deliver things 
directly. What is strange is that it does in fact try to deliver packets to hosts it obviously doesn't have a route to.

Yet how this is a security issue is a mystery to me.

-nik

-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.


r.st () comcast net schrieb:

> Hasn't xp always sent out arp on non-assignment (and 2k) and 1918 is a straight grab when unassigned.  I don't see a 
> security issue here, you might want to expand on the Issue.
>
> ------Original Message------
> From: wborskey () gmail com
> To: bugtraq () securityfocus com
> Subject: Widnows XP TCP/IP Stack Security Issue (ARP for non RFC 1918addresses)
> Sent: Apr 24, 2010 9:15 PM
>
> After putting the port my WAP is plugged into in a bridge group--cisco 2600--and rejecting traffic at layer two from 
> an XP machine, I noticed some odd and insecure behavior. At this point I can only assume what is causing it. 
>
> After adding the MAC of a machine with active tcp/ip sockets to public ip addresses an odd thing happened. Instead of 
> sending out DNS requests to resolve the hosts, the XP machine started sending ARP requests but ARP requests for ip 
> public addresses! For example it sent out ARP requests like "Who has 74.125.159.103". But not just once!
>
> The XP machine was using a self assigned 169.254. 
> Because the bridge group discard rule was discarding their traffic at layer 2. But somehow, I guess because it had 
> open sockets to public IP addresses, it tried to ARP for those addresses to discover what network it was on an where 
> to send the packets.
>
> This is extremely dangerous for obvious reasons.
>
>
>
> Sent via BlackBerry from T-Mobile