Windows ME Default Multicast behavior - a potential for vulnerability?

[Sam Stern <samstern () MAILANDNEWS COM>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

All,

While testing a software firewall, I noticed an interesting series of
transmissions from my Windows ME host:

2000/09/06 9:38:32 AM GMT -0400: Linksys LNE100TX ..[0003][Ref#
200451] Blocking outgoing UDP: src=<myip>, dst=239.255.255.250,
sport=1028, dport=1900.
<repeated 2x>

I've got the host on a switch right now, so I don't have a packet
dump for you all.

A Quick check of the IANA Multi Cast Docs at
http://www.isi.edu/in-notes/iana/assignments/multicast-addresses
Shows that this call is under RFC 2365.
239.255.000.000-239.255.255.255 Site-Local Scope
[Meyer,RFC2365]

an examination of http://www.ietf.org/rfc/rfc2365.txt

Yield the interesting paragraph
"
...
10. Security Considerations

   It is recommended that organizations using the administratively
   scoped IP Multicast addresses not rely on them to prevent
sensitive
   data from being transmitted outside the organization.  Should a
   multicast router on an administrative boundary be mis-configured,
   have a bug in the administrative scoping code, or have other
problems
   that would cause that router to forward an administratively scoped
IP
   multicast packet outside of the proper scope, the organizations
data
   would leave its intended transmission region.
...
"

I'm curious: Can this default behavior yield a realistic potential
for system compromise especially in a local loop scenario such as a
cable modem system?



Yours,


Sam Stern, Bethesda, MD, USA PGP ID:0x949342F9
mailto:samstern () mailandnews com

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.3
Comment: A Digitally ensures unaltered message content

iQA/AwUBObalCLBCInuUk0L5EQIuIwCg/ouC93ezTROw6oB94ZyLPQqf7cIAnjPy
UqN93SWgYkrIDyvXjIKlCtp1
=wSbW
-----END PGP SIGNATURE-----