[VulnWatch] Windows URG mystery solved!

From: Michal Zalewski (lcamtufat_private)
Date: Wed Sep 17 2003 - 02:17:16 PDT

  • Next message: CORE Security Technologies Advisories: "[VulnWatch] CORE-2003-0531: Multiple IBM DB2 Stack Overflow Vulnerabilities"

    I finally have more details about the Windows URG pointer memory leak,
    first reported here:
    
      http://www.securityfocus.com/archive/82/335845/2003-08-31/2003-09-06/0
    
    It is a vulnerability.
    
    After a long and daunting hunt, I have determined that pretty much all
    up-to-date Windows 2000 and XP systems are vulnerable to the problem, and
    that it is not caused by any network devices en route or such, but the
    issue is present only in certain conditions.
    
    I have initially reported I see a minority population of systems
    exhibiting this pattern. It turns out the majority of population is
    vulnerable, simply not exhibiting this behavior all the time.
    
    It is exhibited whenever a data transfer is occuring at the time the
    initial SYN is sent. The URG value would often contain a random piece of
    a packet (frequently data) belonging to the other connection.
    
    This happens during regular browsing, and will also be triggered by
    background downloads, etc.
    
    I do not want to exaggerate the impact of this vulnerability, the amount
    of data disclosed is fairly low, but it's still quite cool.
    
    Cheers,
    -- 
    ------------------------- bash$ :(){ :|:&};: --
     Michal Zalewski * [http://lcamtuf.coredump.cx]
        Did you know that clones never use mirrors?
    --------------------------- 2003-09-17 10:44 --
    



    This archive was generated by hypermail 2b30 : Wed Sep 17 2003 - 06:55:29 PDT