> From: John Robinson <johnrat_private> > > If a user has the newest winsock patch for winsock 2.0: > http://www.microsoft.com/windows95/info/ws2.htm > > and attempts to do an address lookup on a address which doesn't exist > and is 13 characters long winsock will fault. I thought this was a troll it seemed so ridiculous. Could MS be THAT bad at coding *AND* testing?! To even attempt to fathom what kind of coding resulted in this magic number popping up makes me shudder. I investigated for myself (for once ;): Disclaimer: This will probably end up coming out as gleeful M$-bashing """"""""""" here, but last night I spent 5hrs working on a proposal bid, trying to think of why the client's insitence on "NT+IIS+MS SQL+ Coldfusion" was a worse idea than FreeBSD or BSDI, Apache 1.2.5, PHP 3.0 and Postgres or Oracle, but I shuddered everytime I wrote the first 4 letters of "FreeBSD" and imagined the questions we'll get if we even make it to the prelim meetings. If you have any suggestions, feel free to email me! :) [ please see note re Unix+NT interop. mailing list proposal at bottom ] ------------------------------------------------------------------------------ Summary: My installation of Winsock 2.0 faults on 15 characters, not 13. """""""" Going back to 1.1 with the scripts provided with the upgrade makes things ok again (tho you may be open to attacks (newTear?) that WS 2.0 'fixes'). == DETAILS, EXPLOITS, and NEW MAILING LIST PROPOSAL FOLLOW ==================== Exploits, Limitations and Further Investigation: """""""""""""""""""""""""""""""""""""""""""""""" - Any exploit would need to cause the target machine to do a sort of lookup on a bogus domain name of the magic length (successful exploits would include all lengths of name from 9 to many (32?) characters to be sure). - This could include sending email with a URL or embedded image tag to someone, or seeding your webpage with bogus hostnames of 9-32 characters length. - For now, I cant see any way of causing the exploit to occur on an UNATTENDED machine. The user must be lead to click on a URL either in email, or by visting a webpage. (Perhaps r00tshell or others can suggest a way a call to a remote Win95 box via SMB messages can cause a forward lookup on a bogus domain.) - I am not sure when Win95/SMB does 'reverse' lookups, but remember 'reverse' checks "*.in-addr.arpa", say for logging the hostname attached to an incoming IP to a Win95 server app (War-FTPD, SMTPD, Personal Web Server, etc.) (eg: 24.in-addr.arpa may hose my box at 15 chars.) (Sorry just thot of this now and aint rebooting linux to check.) Fixes: - DONT 'upgrade' to Winsock 2.0. If you have, downgrade. """""" - Do not be on a dedicated internet connection without a firewall and a sharp network admin responsible for it. Commentary: This patch looks like its been out for a while now, and """"""""""" there are faily good notes on how to install it, etc, on MS's site. It doesnt say exactly what it fixes, if it protects against Nuke, Tear or NewTear or any other recent attacks. But, HOW THE HELL do they get away with this? The US is worried about 'cyberterrorism'? Well they should investigate MS for practices which are putting the North American economy at undue risk of attack. If MS is gonna push their marketing THAT hard, with a small country's worth of money, such that they strongly affect they way an entire continent does business, then they should be able to back it up with a quality product that protects consumers and economic infrastructure. Instead, businesses are left open to TRIVIALLY implimented and widespread security attacks. The government should begin investigating and applying penalties, perhaps equally to all software development firms, at least starting with internetworked operating systems. (Or perhaps professional engineering accreditations are starting to show their need in this field. We dont like bridges collapsing, but do we like our intensive care equipment software failing under a broken OS?) If MS is going to enjoy what some proponents are terming "a natural monopoly" (see recent Scientific American commentary re such), then they should come under scrutiny for quality of service. Oh ya, they're not a monopoly, and the market will realise who has the best product. Not. Will BYTE or PC Mag even mention this massive WS 2.0 gaffe? Will the public care? [rant off] ------------------------------------------------------------------------------ Methods: """""""" - i wrote down a list of 14 hostnames, 2 different ones for each 'length' of name including the '.'s, all assuredly bogus (j21kaa.foo for eg). - under the old winsock 1.1, I pung, telnetted and made IE 3.0 go visit each of the 14 names. No problems (host not found each time). - I ran ws2setup and the install ran fine. Then I hit the sites with ping, telnet and IE 3.0 again and laughed with a mix of self-righteousness and fear. Observations: """"""""""""" - At 15 characters ONLY on my system did the winsock stack get hosed under all of ping, telnet and IE 3.0. - Twice out of the 12 attempts and subsequent reboots did my entire Win95 just wedge right up to the mouse. Hard reset only option. ONCE Winsock 2.0 is HOSED: - In all cases, "shutting down my computer" left me with the shutdown screen, but did not reboot. I had to go thru scandisk each time. - In all cases, other networking apps were either hosed or partially functional. In many cases I can see data being lost with any app that calls Winsock after some other app hoses the stack (ie Word emailing out a document by itself, for eg, may hose itself and your changes after someone sends your Eudora some email with a bogus hostname link in it that you innocently clicked). - Launching new networkng apps brought up the blue screen each time, or did as soon as any networking related function was attempted. Many apps I never suspected of having any networking code in them seemed to be affected as well (I am not sure if this applies to all file open/save dialogues, which have Network.. access options in them.) ============================================================================== WARNING: Non-direct bugtraq info here. Unix+NT interoperability mailing list proposal (or verification of prior existence) content follows. Is there a support list out there to help make Unix-based solutions match or best MS/NT based ones? There can sometimes be a large lack of info out there on what is comparable between Unix and NT, and/or how Unix can interface with NT or vice versa with various apps and servers. (How does PHP mix with MS SQL for eg? Can Access talk to Postgres? etc.) If this exists already, let me know please. If someone wants to start this, or if I should, please email me. I wanna know what kind of interest there is in this. I felt quite helpless trying to directly challenge the proposal guidelines which said MS+NT all the way, no substitutes accepted. I am sure this happens alot. Educating ourselves is the first step to educating our clients. I'd like to engender that quality in the list's charter as well, to avoid MS bashing and instead focusing on facts and interoperability. MS bashing would obviously lead us nowhere. Email me: math @ velocet . ca /kc -- Ken Chase Velocet Communications Inc. math @ velocet.ca www.velocet.ca Toronto CANADA -- "Sometimes two [harmless] words, when put together, strike fear in the hearts of men -- Microsoft Wallet." - Dave Gilbert
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:45:20 PDT