Windows URG mystery solved!

[Michal Zalewski <lcamtuf () dione ids pl>]

I finally have more details about the Windows URG pointer memory leak,
first reported here:

  http://www.securityfocus.com/archive/82/335845/2003-08-31/2003-09-06/0

It is a vulnerability.

After a long and daunting hunt, I have determined that pretty much all
up-to-date Windows 2000 and XP systems are vulnerable to the problem, and
that it is not caused by any network devices en route or such, but the
issue is present only in certain conditions.

I have initially reported I see a minority population of systems
exhibiting this pattern. It turns out the majority of population is
vulnerable, simply not exhibiting this behavior all the time.

It is exhibited whenever a data transfer is occuring at the time the
initial SYN is sent. The URG value would often contain a random piece of
a packet (frequently data) belonging to the other connection.

This happens during regular browsing, and will also be triggered by
background downloads, etc.

I do not want to exaggerate the impact of this vulnerability, the amount
of data disclosed is fairly low, but it's still quite cool.

Cheers,
-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2003-09-17 10:44 --