Microsoft Tightens the Noose on Raw Sockets

[Fyodor <fyodor () insecure org>]

Many of us were annoyed last year when Microsoft intentionally broke
raw sockets on Windows XP, while leaving the feature enabled in
Windows 2003.  MS is well known for maintaining the upgrade treadmill
by dubious means such gratuitous file format incompatibilities, but
this is a new low.  People pay $299.99 for WinXP Pro with working raw
sockets, then MS cripples their systems and demands $1019 (WS2003
retail price) to return the functionality.  Of course Microsoft claims
this change is necessary for security.  That is funny, since all of
the other major platforms Nmap supports (e.g. Mac OS X, Linux, *BSD)
offer raw sockets and yet they haven't become the wasp nest of
spambots, worms, and spyware that infest so many Windows boxes.

This takes us back to 1996, when MS released Windows NT 4.0
Workstation with a limit of 10 incoming connections per 10 minutes[1].
They (falsely) claimed this limit was due to substantial technical
differences between Workstation and Server, and wasn't just a way to
force an $800 upgrade.  But at least that was a new product -- MS
didn't proactively break existing, working web servers.  Soon hackers
discovered that the "substantial technical differences" were just a
registry key setting.  MS backed down and removed the limitation.

Well, they haven't backed down this time!  I know that some of you
have been avoiding SP2 to keep your system fully functional.  MS made
a blocking tool available to Enterprises, but they overrode it on
April 12 and forced the upgrade through Automatic Update anyway[2].
And now they have quietly snuck the raw sockets restriction in with
their latest critical security patch (MS05-019).  The loophole that
allowed users to defeat the limitation by stopping the ICS service has
also been closed by MS05-019.  I have appended an informative
NTBugtraq post by Robin Keir on this topic.  Pick your poison: Install
MS05-019 and cripple your OS, or ignore the hotfix and remain
vulnerable to remote code execution and DoS.

Nmap has not supported dialup nor any other non-ethernet connections
on Windows since this silly limitation was added.  The new TCP
connection limit also substantially degrades connect() scan.  Nmap
users should avoid thinking that all platforms are supported equally.
If you have any choice, run Nmap on Linux, Mac OS X, Open/FreeBSD, or
Solaris rather than Windows.  Nmap will run faster and more reliably.
Or you can try convincing MS to fix their TCP stack.  Good luck with
that.

Rand mode off,
-Fyodor

[1] http://tim.oreilly.com/articles/10-conn.html
[2] http://it.slashdot.org/article.pl?sid=05/04/06/1657216&tid=201&tid=172&tid=218

From: Robin Keir <robin () KEIR NET>
To: NTBUGTRAQ () LISTSERV NTBUGTRAQ COM
Subject: MS05-019 breaks TCP raw socket sends
Date:  Tue, 12 Apr 2005 20:37:02 -0700

Today's bugfix MS05-019 ("Vulnerabilities in TCP/IP Could Allow Remote
Code Execution and Denial of Service" - KB893066) appears to break TCP
raw socket sends on XP (tested with SP1 and SP2). Windows Server 2003
appears unaffected.

It is a documented fact that TCP raw socket sends were disabled with
XP SP2. This was easily circumvented by disabling the Windows Firewall
service ("net stop sharedaccess"). It now appears that with the
MS05-019 hotfix a similar situation has arisen whereby TCP raw socket
sends are prevented, not only in SP2 but also SP1 (and probably
SP0). This does *not* seem to be able to be overcome by stopping the
firewall service(s).

I don't know if this was intentional but I don't see any reference to
this behavior.

Incidentally, with Windows Server 2003 MS had "accidentally" also
disabled TCP raw socket sends as with XP SP2 until they were notified
of this unintentional regression and "fixed" it in RC2 and the final
release. One wonders whether they "accidentally" used a component from
XP SP2 in this hotfix causing this undesirable behavior.

--
Robin


_______________________________________________
Sent through the nmap-hackers mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-hackers