Forwarded from: security curmudgeon <jericho@private> : http://www.nwfusion.com/news/2004/0813huntforx.html : : By Joris Evers : IDG News Service : 08/13/04 : : While users are testing Service Pack 2 for Windows XP to prevent : compatibility problems, hackers are picking apart the security-focused : software update looking for vulnerabilities, security experts said. : : "We will see new vulnerabilities discovered in SP2 over the next few : weeks. Give it a month or two and we will also see worms that affect : SP2," said Thor Larholm, senior security researcher at PivX Solutions : LLC, a security services company in Newport Beach, Calif. As usual with Windows Service Packs, the first week or two is spent figuring out what features have changed or broken significantly. While most of the griping is about functionality breaking that was made public well in advance, a few other changes crept in that are of interest to the security world. (read below) : "A lot of the current attack vectors are blocked by SP2," Larholm said. : "Folks are now trying to find new ways to plant code on a system. A lot : of these new ways will use e-mail, instant messaging and Web traffic - : any kind of traffic that a PC requests from the outside world - because : that will go through the firewall without restrictions." Fortunately, all the MSIE exploits will still do nicely =) -- ------Original Message----- From: Fyodor [mailto:fyodor@private] Sent: Wednesday, August 11, 2004 3:31 PM To: nmap-hackers@private Subject: Windows XP SP2 incompatible with Nmap This is just a heads-up that most Nmap functionality will not work on the just-released Microsoft Windows SP2. Why? Microsoft apparently broke it on purpose! When an Nmap user asked MS why security tools such as Nmap broke, MS responded[1]: "We have removed support for TCP sends over RAW sockets in SP2. We surveyed applications and found the only apps using this on XP were people writing attack tools." I don't know why they consider Nmap an "attack tool", particularly when they recommend it on some of their own pages[2]. Shrug. Removing SP2 re-enables the functionality and causes Nmap to work again. Many problems unrelated to Nmap have been found with SP2 as well[3], though it does some welcome security improvements for people stuck on that platform. I will work on this if I get time, but am currently busy rewriting the core port scanning engine for the next version of Nmap. It is much faster, offers much better multiple-host parallelization, and provides other long-desired features such as completion time estimates. If someone finds a solution to this SP2 problem, please send a patch. It may not be too hard, as Nmap supports operating systems such as Win95 that didn't have raw socket support in the first place. Cheers, Fyodor [1] http://seclists.org/lists/nmap-dev/2004/Apr-Jun/0077.html [2] http://www.microsoft.com/serviceproviders/security/tools.asp [3] http://www.crn.com/sections/breakingnews/breakingnews.jhtml?articleId=23905071 -- The TCPIP.SYS modifications in XP SP2 have also limited the number of concurrent half-open TCP connections to -10-. Yeah. That means you can't try to connect to more than ten things at once unless one of them answers. This breaks most vulnerability scanning, p2p networking, and many game networks, but I think they were aiming to keep worms from spreading. There appears to be no registry key to change this setting. There is a 3rd party patch available for this: http://www.lvllord.de/ (site not resolving now) _________________________________________ Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/
This archive was generated by hypermail 2.1.3 : Mon Aug 16 2004 - 05:00:21 PDT