Wieners, Brats, Franks, we've got 'em all.
0 Members and 1 Guest are viewing this topic.
Many of us were annoyed last year when Microsoft intentionally brokeraw sockets on Windows XP, while leaving the feature enabled inWindows 2003. MS is well known for maintaining the upgrade treadmillby dubious means such gratuitous file format incompatibilities, butthis is a new low. People pay $299.99 for WinXP Pro with working rawsockets, then MS cripples their systems and demands $1019 (WS2003retail price) to return the functionality. Of course Microsoft claimsthis change is necessary for security. That is funny, since all ofthe other major platforms Nmap supports (e.g. Mac OS X, Linux, *BSD)offer raw sockets and yet they haven't become the wasp nest ofspambots, worms, and spyware that infest so many Windows boxes.This takes us back to 1996, when MS released Windows NT 4.0Workstation with a limit of 10 incoming connections per 10 minutes[1].They (falsely) claimed this limit was due to substantial technicaldifferences between Workstation and Server, and wasn't just a way toforce an $800 upgrade. But at least that was a new product -- MSdidn't proactively break existing, working web servers. Soon hackersdiscovered that the "substantial technical differences" were just aregistry key setting. MS backed down and removed the limitation.Well, they haven't backed down this time! I know that some of youhave been avoiding SP2 to keep your system fully functional. MS madea blocking tool available to Enterprises, but they overrode it onApril 12 and forced the upgrade through Automatic Update anyway[2].And now they have quietly snuck the raw sockets restriction in withtheir latest critical security patch (MS05-019). The loophole thatallowed users to defeat the limitation by stopping the ICS service hasalso been closed by MS05-019. I have appended an informativeNTBugtraq post by Robin Keir on this topic. Pick your poison: InstallMS05-019 and cripple your OS, or ignore the hotfix and remainvulnerable to remote code execution and DoS.Nmap has not supported dialup nor any other non-ethernet connectionson Windows since this silly limitation was added. The new TCPconnection limit also substantially degrades connect() scan. Nmapusers should avoid thinking that all platforms are supported equally.If you have any choice, run Nmap on Linux, Mac OS X, Open/FreeBSD, orSolaris rather than Windows. Nmap will run faster and more reliably.Or you can try convincing MS to fix their TCP stack. Good luck withthat.Rand mode off,-Fyodor[1] http://tim.oreilly.com/articles/10-conn.html[2] http://it.slashdot.org/article.pl?sid=05/04/06/1657216&tid=201&tid=172&tid=218From: Robin Keir <robin@KEIR.NET>To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COMSubject: MS05-019 breaks TCP raw socket sendsDate: Tue, 12 Apr 2005 20:37:02 -0700Today's bugfix MS05-019 ("Vulnerabilities in TCP/IP Could Allow RemoteCode Execution and Denial of Service" - KB893066) appears to break TCPraw socket sends on XP (tested with SP1 and SP2). Windows Server 2003appears unaffected.It is a documented fact that TCP raw socket sends were disabled withXP SP2. This was easily circumvented by disabling the Windows Firewallservice ("net stop sharedaccess"). It now appears that with theMS05-019 hotfix a similar situation has arisen whereby TCP raw socketsends are prevented, not only in SP2 but also SP1 (and probablySP0). This does *not* seem to be able to be overcome by stopping thefirewall service(s).I don't know if this was intentional but I don't see any reference tothis behavior.Incidentally, with Windows Server 2003 MS had "accidentally" alsodisabled TCP raw socket sends as with XP SP2 until they were notifiedof this unintentional regression and "fixed" it in RC2 and the finalrelease. One wonders whether they "accidentally" used a component fromXP SP2 in this hotfix causing this undesirable behavior.--Robin_______________________________________________Sent through the nmap-hackers mailing listhttp://cgi.insecure.org/mailman/listinfo/nmap-hackers
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz[17:32:54] * xar sets mode: +o newby[17:32:58] <xar> new rule[17:33:02] <xar> me and newby rule all
Quote from: CrAz3D on June 30, 2008, 10:38:22 amI'd bet that you're currently bloated like a water ballon on a hot summer's day.That analogy doesn't even make sense. Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT.
I'd bet that you're currently bloated like a water ballon on a hot summer's day.
The average user doesn't experiment with packets.Microsoft releases patches in the best interest of the average home user who doesn't have the slightest clue what a raw socket is.
[20:21:13] xar: i was just thinking about the time iago came over here and we made this huge bomb and light up the sky for 6 min[20:21:15] xar: that was funny
In my Saturday raw sockets rant, I included a message from Robin Keirdescribing how MS05-019 breaks raw sockets even for pre-SP2 WinXPmachines. He has now done more research and sent me the followingmail summarizing how windows platforms (Win2K, WinXP, Win2003)interact with service patches, hotfixes, and the sharedaccess serviceto restrict (or not) raw sockets. For the executive summary, readjust the final line of his email.From: Robin Keir <robin@keir.net>Date: Mon, 25 Apr 2005 14:33:01 -0700Subject: Raw sockets, MS05-019 and Windows Firewall -- SummaryWith the advent of XP SP2 and the recent MS05-019 patch, using raw sockets for scanning from a Windows platform has proven to be very problematic. I thought I would summarize the situation.Based upon the presence of MS05-019 and the state of the Windows Firewall service(s) we have to decide whether we need to stop or start the firewall service(s). Even then there may still be issues. The logic is as follows:Windows 2000 is unaffected. It fully supports all raw socket actions and since it doesn't have the Windows Firewall/ICF we don't have any of those associated issues.XP SP0 should have the firewall stopped ("net stop sharedaccess"). Even though TCP raw sockets are unaffected by the firewall the ALG service, which is intimately tied to the firewall service on XP, prevents discovery of several ports such as 21, 389, 1002 and 1720 when using TCP raw sockets. Stopping the sharedaccess service thus automatically stops the ALG service and we're good to go.XP SP1 *without* MS05-019 functions the same as XP SP0.XP SP1 *with* MS05-019 needs to have the sharedaccess firewall service *running* (see http://support.microsoft.com/kb/897656) otherwise TCP raw sockets are blocked. Because the sharedaccess service needs to be running to enable sending of TCP packets using raw sockets we have the problem with the ALG service blocking sending to certain ports, but it's better than nothing.XP SP2 *without* MS05-019 functions the same as XP SP1 without the patch apart from a driver-level restriction on the number of in-the-process-of-connecting TCP connections. This can affect regular socket style scanning. The only known workaround to the driver issue is a TCPIP.SYS hack.XP SP2 *with* MS05-019 is unusable for raw-socket TCP scanning. It totally blocks TCP raw sockets with or without the firewall enabled.Windows Server 2003 acts like XP SP0. The ALG service, which is now no longer tied to the sharedaccess (Windows Firewall) service, should be stopped ("net stop alg").What a mess :-)
FYI Re: MS05-019 and Windows Raw Sockets:More on MS05-019It breaks a lot more than just raw sockets on current Win32 platforms.It wreaks havoc on pre XP systems as well in other areas.Win2k machines are not affected by MS05-019 raw sockets issue but thisearly patch release breaks so much more on Win2k that it causes its owndenial of service!Our enterprise loaded with Win2k SP4 (fully patched) servers experienceda multitude of issues over the last few days that almost had me pullingmy hair out until I eventually narrowed down the problem and helpedMicrosoft resolve the issues leading to the release of the "updatedpatch" today (4/25/05).MS05-019 modifies the IP stack and replaces tcpip.sys with a modifiedversion that changes the values of the MaxICMP route and MTU settings.It virtually crippled all of our servers on WAN sites that were goingacross routers and firewalls due to packet MTU size issues and discards.All of our WAN servers would run fine for a day after reboot and shortlythereafter would begin to fail with AD replication, RPC communication,Terminal services, IIS/WebDav, etc. Basically all of the upper layerservices. ICMP (ping echo-replies) would always work but all of theupper services would not respond. We first noticed it with our heavyCitrix/Printing as spool jobs would fail. This primarily affects servers in routed environments or any environmentwhere packet size MTU and DF bit settings may be set. Small environmentswhere all servers are in one physical/logical site will not experiencethis issue.MS05-019 modifies:C:\WINNT\system32\dllcache\msafd.dllC:\WINNT\system32\dllcache\tdi.sysC:\WINNT\system32\dllcache\wshtcpip.dllC:\WINNT\system32\drivers\tcpip.sys <- main replaced/affected file witha Feb 2005 version from former June 2003 version.Just thought I'd share as maybe this information can be useful to manyof your readers who may be suffering or will soon be suffering fromweird Windows issues.It took me 3 days to prove it to Microsoft even after I could replicatethe issue and finally they admitted to me that their developers startedworking on a fix for this issue as a post MS05-019/KB893066 update whichwas released today. The MS05-019 patch was released as a "rush" patch toaddress other issues that were going on in the field.I have not tried the updated fix yet so I can not speak to the rawsockets issue on XP machines. This would be a good test to see if itaddresses that as well.More interesting reading info released late on Monday April 25th:The official Microsoft Bulletin released today:http://support.microsoft.com/kb/898060/And another good related link:http://myitforum.techtarget.com/blog/cmosby/archive/2005/04/23/5403.aspxMarcial FelicianoCCNA,CCDA,CCSA,CCSE,MCSE,CISSPSr. Systems/Security EngineerWilmington Finance (AIG subsidiary)
Apparently, Microsoft agrees with me on the topic of raw sockets and DDoSing!
I'd personally do as Joe suggests
You might be right about that, Joe.
One attendee criticized the move away from raw sockets as sacrificing legitimate security firms' needs in order to secure less knowledgeable users."We are a security company, a lot of people here sell security software -- if it's going to work under Microsoft a lot of that stuff needs raw sockets," said the attendee. "What happened with us is that it broke our customers' applications."Microsoft currently tells companies that need raw sockets support to move their applications to Windows 2003, but will not promise that raw sockets will be available in that version of the operating system much longer. "People are either going to use Windows 2000 or, as we are considering doing, move over to Linux," he said.Microsoft's Snyder said the company was in the midst of an internal debate over whether and how to continue support for raw sockets."There is a lot--a lot--a debate going on regarding raw sockets," she said. "I can't say what the resolution is going to be in the future, however."
