certain versions of Windows XP leaking memory in TCP packets?

[Michal Zalewski <lcamtuf () coredump cx>]

Hello list,

While writing the new version of my passive oS fingerprinting tool, p0f
(no, this time, it's not a shameless plug), I was trying to come up with a
number of new metrics that can be used for this purpose. One of the ideas
was to look for glitches such as non-zero values in sections of the packet
that are irrelevant and should be zeroed, in particular the ACK value in
SYN packets with no ACK flag set, and URG pointer in SYN packets with no
URG flag set.

This and several other "quirk checks" turned out to be quite useful. I
kept running p0f on one of the servers, and found out there is a sizable
(but minority) population of what looks like Windows XP systems that
appear to be setting URG pointer in SYN packets with no URG flag to values
that seemed to be random (whereas other devices that had this "feature",
were using a fixed value, such as 0xcccc), but sometimes repeated in two
subsequent connections from the same source.

Quite unfortunately, none of those machines ever visited my signature
submission page at http://lcamtuf.coredump.cx/p0f-help/, so I do not have
any detailed configuration information and couldn't perform more detailed
checks, so I'm just posting it here for your consideration and eventual
testing. Here's a sample (observe URG value):

<Tue Sep  2 13:02:48 2003> A:3827 - Windows XP (2) (PLEASE REPORT!) [GENERIC]
  Signature: [16384:119:1:48:M1460,N,N,S:U:Windows:?]
  -> server:80 (distance 9, link: ethernet/modem)
  -- EXTRA TCP VALUES: ACK=0x0, UNUSED=0, URG=0x819e

<Tue Sep  2 13:02:48 2003> A:3829 - Windows XP (2) (PLEASE REPORT!) [GENERIC]
  Signature: [16384:119:1:48:M1460,N,N,S:U:Windows:?]
  -> server:80 (distance 9, link: ethernet/modem)
  -- EXTRA TCP VALUES: ACK=0x0, UNUSED=0, URG=0xdc19

<Tue Sep  2 13:02:49 2003> A:3830 - Windows XP (2) (PLEASE REPORT!) [GENERIC]
  Signature: [16384:119:1:48:M1460,N,N,S:U:Windows:?]
  -> server:80 (distance 9, link: ethernet/modem)
  -- EXTRA TCP VALUES: ACK=0x0, UNUSED=0, URG=0x8158

<Tue Sep  2 13:02:49 2003> A:3833 - Windows XP (2) (PLEASE REPORT!) [GENERIC]
  Signature: [16384:119:1:48:M1460,N,N,S:U:Windows:?]
  -> server:80 (distance 9, link: ethernet/modem)
  -- EXTRA TCP VALUES: ACK=0x0, UNUSED=0, URG=0x8158

Now, my immediate quess would be that this Windows box is leaking the
contents of some previously sent packets by not zeroing the buffer used to
construct a new packet completely. It's less likely, but not impossible,
that this URG value is set by some network device or is not related to the
previous packet.

Any ideas? Or perhaps you have any XP boxes to point to
http://lcamtuf.coredump.cx/p0f-help or
https://coredump.cx:443/~lcamtuf/p0f-help/ to submit configuration
details and help me find out which systems are affected and why?

Thanks,
-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2003-09-02 13:26 --