Nmap Announce mailing list archives
Microsoft Tightens the Noose on Raw Sockets
From: Fyodor <fyodor () insecure org>
Date: Sat, 23 Apr 2005 01:25:54 -0700
Many of us were annoyed last year when Microsoft intentionally broke raw sockets on Windows XP, while leaving the feature enabled in Windows 2003. MS is well known for maintaining the upgrade treadmill by dubious means such gratuitous file format incompatibilities, but this is a new low. People pay $299.99 for WinXP Pro with working raw sockets, then MS cripples their systems and demands $1019 (WS2003 retail price) to return the functionality. Of course Microsoft claims this change is necessary for security. That is funny, since all of the other major platforms Nmap supports (e.g. Mac OS X, Linux, *BSD) offer raw sockets and yet they haven't become the wasp nest of spambots, worms, and spyware that infest so many Windows boxes. This takes us back to 1996, when MS released Windows NT 4.0 Workstation with a limit of 10 incoming connections per 10 minutes[1]. They (falsely) claimed this limit was due to substantial technical differences between Workstation and Server, and wasn't just a way to force an $800 upgrade. But at least that was a new product -- MS didn't proactively break existing, working web servers. Soon hackers discovered that the "substantial technical differences" were just a registry key setting. MS backed down and removed the limitation. Well, they haven't backed down this time! I know that some of you have been avoiding SP2 to keep your system fully functional. MS made a blocking tool available to Enterprises, but they overrode it on April 12 and forced the upgrade through Automatic Update anyway[2]. And now they have quietly snuck the raw sockets restriction in with their latest critical security patch (MS05-019). The loophole that allowed users to defeat the limitation by stopping the ICS service has also been closed by MS05-019. I have appended an informative NTBugtraq post by Robin Keir on this topic. Pick your poison: Install MS05-019 and cripple your OS, or ignore the hotfix and remain vulnerable to remote code execution and DoS. Nmap has not supported dialup nor any other non-ethernet connections on Windows since this silly limitation was added. The new TCP connection limit also substantially degrades connect() scan. Nmap users should avoid thinking that all platforms are supported equally. If you have any choice, run Nmap on Linux, Mac OS X, Open/FreeBSD, or Solaris rather than Windows. Nmap will run faster and more reliably. Or you can try convincing MS to fix their TCP stack. Good luck with that. Rand mode off, -Fyodor [1] http://tim.oreilly.com/articles/10-conn.html [2] http://it.slashdot.org/article.pl?sid=05/04/06/1657216&tid=201&tid=172&tid=218 From: Robin Keir <robin () KEIR NET> To: NTBUGTRAQ () LISTSERV NTBUGTRAQ COM Subject: MS05-019 breaks TCP raw socket sends Date: Tue, 12 Apr 2005 20:37:02 -0700 Today's bugfix MS05-019 ("Vulnerabilities in TCP/IP Could Allow Remote Code Execution and Denial of Service" - KB893066) appears to break TCP raw socket sends on XP (tested with SP1 and SP2). Windows Server 2003 appears unaffected. It is a documented fact that TCP raw socket sends were disabled with XP SP2. This was easily circumvented by disabling the Windows Firewall service ("net stop sharedaccess"). It now appears that with the MS05-019 hotfix a similar situation has arisen whereby TCP raw socket sends are prevented, not only in SP2 but also SP1 (and probably SP0). This does *not* seem to be able to be overcome by stopping the firewall service(s). I don't know if this was intentional but I don't see any reference to this behavior. Incidentally, with Windows Server 2003 MS had "accidentally" also disabled TCP raw socket sends as with XP SP2 until they were notified of this unintentional regression and "fixed" it in RC2 and the final release. One wonders whether they "accidentally" used a component from XP SP2 in this hotfix causing this undesirable behavior. -- Robin _______________________________________________ Sent through the nmap-hackers mailing list http://cgi.insecure.org/mailman/listinfo/nmap-hackers
Current thread:
- Microsoft Tightens the Noose on Raw Sockets Fyodor (Apr 23)