Latest MS Patch Disables Raw Sockets

[iago]

Posted by Fyodor (author of NMap):

Many of us were annoyed last year when Microsoft intentionally broke
raw sockets on Windows XP, while leaving the feature enabled in
Windows 2003.  MS is well known for maintaining the upgrade treadmill
by dubious means such gratuitous file format incompatibilities, but
this is a new low.  People pay $299.99 for WinXP Pro with working raw
sockets, then MS cripples their systems and demands $1019 (WS2003
retail price) to return the functionality.  Of course Microsoft claims
this change is necessary for security.  That is funny, since all of
the other major platforms Nmap supports (e.g. Mac OS X, Linux, *BSD)
offer raw sockets and yet they haven't become the wasp nest of
spambots, worms, and spyware that infest so many Windows boxes.

This takes us back to 1996, when MS released Windows NT 4.0
Workstation with a limit of 10 incoming connections per 10 minutes[1].
They (falsely) claimed this limit was due to substantial technical
differences between Workstation and Server, and wasn't just a way to
force an $800 upgrade.  But at least that was a new product -- MS
didn't proactively break existing, working web servers.  Soon hackers
discovered that the "substantial technical differences" were just a
registry key setting.  MS backed down and removed the limitation.

Well, they haven't backed down this time!  I know that some of you
have been avoiding SP2 to keep your system fully functional.  MS made
a blocking tool available to Enterprises, but they overrode it on
April 12 and forced the upgrade through Automatic Update anyway[2].
And now they have quietly snuck the raw sockets restriction in with
their latest critical security patch (MS05-019).  The loophole that
allowed users to defeat the limitation by stopping the ICS service has
also been closed by MS05-019.  I have appended an informative
NTBugtraq post by Robin Keir on this topic.  Pick your poison: Install
MS05-019 and cripple your OS, or ignore the hotfix and remain
vulnerable to remote code execution and DoS.

Nmap has not supported dialup nor any other non-ethernet connections
on Windows since this silly limitation was added.  The new TCP
connection limit also substantially degrades connect() scan.  Nmap
users should avoid thinking that all platforms are supported equally.
If you have any choice, run Nmap on Linux, Mac OS X, Open/FreeBSD, or
Solaris rather than Windows.  Nmap will run faster and more reliably.
Or you can try convincing MS to fix their TCP stack.  Good luck with
that.

Rand mode off,
-Fyodor

[1] http://tim.oreilly.com/articles/10-conn.html
[2] http://it.slashdot.org/article.pl?sid=05/04/06/1657216&tid=201&tid=172&tid=218

From: Robin Keir <robin@KEIR.NET>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: MS05-019 breaks TCP raw socket sends
Date:  Tue, 12 Apr 2005 20:37:02 -0700

Today's bugfix MS05-019 ("Vulnerabilities in TCP/IP Could Allow Remote
Code Execution and Denial of Service" - KB893066) appears to break TCP
raw socket sends on XP (tested with SP1 and SP2). Windows Server 2003
appears unaffected.

It is a documented fact that TCP raw socket sends were disabled with
XP SP2. This was easily circumvented by disabling the Windows Firewall
service ("net stop sharedaccess"). It now appears that with the
MS05-019 hotfix a similar situation has arisen whereby TCP raw socket
sends are prevented, not only in SP2 but also SP1 (and probably
SP0). This does *not* seem to be able to be overcome by stopping the
firewall service(s).

I don't know if this was intentional but I don't see any reference to
this behavior.

Incidentally, with Windows Server 2003 MS had "accidentally" also
disabled TCP raw socket sends as with XP SP2 until they were notified
of this unintentional regression and "fixed" it in RC2 and the final
release. One wonders whether they "accidentally" used a component from
XP SP2 in this hotfix causing this undesirable behavior.

--
Robin


_______________________________________________
Sent through the nmap-hackers mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-hackers

[Newby]

Good. Raw sockets was a stupid idea in the first place.

read: here

[iago]

Yeah, God forbid people are allowed to look after their own computers and be able to experiment with packets.

As Fyodor said, if raw sockets are so bad, why doesn't every other OS have problems with DoS bots and all that?  Disabling raw sockets is just another bullshit workaround that Microsoft is famous for.

[Newby]

The average user doesn't experiment with packets.

Microsoft releases patches in the best interest of the average home user who doesn't have the slightest clue what a raw socket is.

[iago]

The average user doesn't experiment with packets.

Microsoft releases patches in the best interest of the average home user who doesn't have the slightest clue what a raw socket is.

And now NO users can, is that batter?  They don't even make it POSSIBLE for you to experiment with raw packets.

[Quik]

Pssh, no. That's what a Linux user would do!

[Newby]

If you want raw sockets cheap, switch to Linux or something. Microsoft doesn't care.

[Warrior]

I agree with Newby, they distribute to a large audience of home users and want them to feel secure and make it so they can't kill their own computer.

[iago]

So they make it impossible to do certain things that some people might require? Or that some products might require to work?  And they let you "fix" the problem if you spent over $1000 on another version of the os? 

It seems to me that an OS should ship with something that might be "dangerous" (which I wouldn't even call raw sockets, but that's another point) turned off, but with the option to enable it.

[iago]

More from Fyodor:

In my Saturday raw sockets rant, I included a message from Robin Keir
describing how MS05-019 breaks raw sockets even for pre-SP2 WinXP
machines.  He has now done more research and sent me the following
mail summarizing how windows platforms (Win2K, WinXP, Win2003)
interact with service patches, hotfixes, and the sharedaccess service
to restrict (or not) raw sockets.  For the executive summary, read
just the final line of his email.

From: Robin Keir <robin@keir.net>
Date: Mon, 25 Apr 2005 14:33:01 -0700
Subject: Raw sockets, MS05-019 and Windows Firewall -- Summary

With the advent of XP SP2 and the recent MS05-019 patch, using raw
sockets for scanning from a Windows platform has proven to be very
problematic. I thought I would summarize the situation.

Based upon the presence of MS05-019 and the state of the Windows
Firewall service(s) we have to decide whether we need to stop or start
the firewall service(s). Even then there may still be issues. The logic
is as follows:

Windows 2000 is unaffected. It fully supports all raw socket actions and
 since it doesn't have the Windows Firewall/ICF we don't have any of
those associated issues.

XP SP0 should have the firewall stopped ("net stop sharedaccess"). Even
though TCP raw sockets are unaffected by the firewall the ALG service,
which is intimately tied to the firewall service on XP, prevents
discovery of several ports such as 21, 389, 1002 and 1720 when using TCP
raw sockets. Stopping the sharedaccess service thus automatically stops
the ALG service and we're good to go.

XP SP1 *without* MS05-019 functions the same as XP SP0.

XP SP1 *with* MS05-019 needs to have the sharedaccess firewall service
*running* (see http://support.microsoft.com/kb/897656) otherwise TCP raw
sockets are blocked. Because the sharedaccess service needs to be
running to enable sending of TCP packets using raw sockets we have the
problem with the ALG service blocking sending to certain ports, but it's
better than nothing.

XP SP2 *without* MS05-019 functions the same as XP SP1 without the patch
apart from a driver-level restriction on the number of
in-the-process-of-connecting TCP connections. This can affect regular
socket style scanning. The only known workaround to the driver issue is
a TCPIP.SYS hack.

XP SP2 *with* MS05-019 is unusable for raw-socket TCP scanning. It
totally blocks TCP raw sockets with or without the firewall enabled.

Windows Server 2003 acts like XP SP0. The ALG service, which is now no
longer tied to the sharedaccess (Windows Firewall) service, should be
stopped ("net stop alg").

What a mess  :-)

So you CAN still send raw packets, it seems, but only if you're using Windows' firewall.  Huh?

[iago]

As long as I'm posting about this story, here's some info on how the patch mucks up Win2k:

FYI Re: MS05-019 and Windows Raw Sockets:

More on MS05-019

It breaks a lot more than just raw sockets on current Win32 platforms.
It wreaks havoc on pre XP systems as well in other areas.

Win2k machines are not affected by MS05-019 raw sockets issue but this
early patch release breaks so much more on Win2k that it causes its own
denial of service!

Our enterprise loaded with Win2k SP4 (fully patched) servers experienced
a multitude of issues over the last few days that almost had me pulling
my hair out until I eventually narrowed down the problem and helped
Microsoft resolve the issues leading to the release of the "updated
patch" today (4/25/05).

MS05-019 modifies the IP stack and replaces tcpip.sys with a modified
version that changes the values of the MaxICMP route and MTU settings.
It virtually crippled all of our servers on WAN sites that were going
across routers and firewalls due to packet MTU size issues and discards.

All of our WAN servers would run fine for a day after reboot and shortly
thereafter would begin to fail with AD replication, RPC communication,
Terminal services, IIS/WebDav, etc. Basically all of the upper layer
services. ICMP (ping echo-replies) would always work but all of the
upper services would not respond. We first noticed it with our heavy
Citrix/Printing as spool jobs would fail.

This primarily affects servers in routed environments or any environment
where packet size MTU and DF bit settings may be set. Small environments
where all servers are in one physical/logical site will not experience
this issue.

MS05-019 modifies:

C:\WINNT\system32\dllcache\msafd.dll
C:\WINNT\system32\dllcache\tdi.sys
C:\WINNT\system32\dllcache\wshtcpip.dll
C:\WINNT\system32\drivers\tcpip.sys <- main replaced/affected file with
a Feb 2005 version from former June 2003 version.

Just thought I'd share as maybe this information can be useful to many
of your readers who may be suffering or will soon be suffering from
weird Windows issues.

It took me 3 days to prove it to Microsoft even after I could replicate
the issue and finally they admitted to me that their developers started
working on a fix for this issue as a post MS05-019/KB893066 update which
was released today. The MS05-019 patch was released as a "rush" patch to
address other issues that were going on in the field.

I have not tried the updated fix yet so I can not speak to the raw
sockets issue on XP machines. This would be a good test to see if it
addresses that as well.

More interesting reading info released late on Monday April 25th:

The official Microsoft Bulletin released today:

http://support.microsoft.com/kb/898060/

And another good related link:

http://myitforum.techtarget.com/blog/cmosby/archive/2005/04/23/5403.aspx

Marcial Feliciano
CCNA,CCDA,CCSA,CCSE,MCSE,CISSP
Sr. Systems/Security Engineer
Wilmington Finance (AIG subsidiary)

[Newby]

Haha, gay.

[Newby]

Apparently, Microsoft agrees with me on the topic of raw sockets and DDoSing!

[iago]

Apparently, Microsoft agrees with me on the topic of raw sockets and DDoSing!

Well, continue using Windows and letting Microsoft think for you.  I'll stick with Linux and think for myself.

[Newby]

Half -- no -- 80% of the people using Windows don't think for themselves when it comes to security.

80% that bought the product legally (computer ignorant) outweigh the 20% who may have purchased it legally and/or pirated it. Greatly outweigh.

Microsoft is doing this in the best interest of the average home user, who only uses Internet Explorer and possibly AOL Instant Messenger/MSN Messenger when they're in front of a computer.