Mailing List Archive: Full Disclosure: Full-Disclosure

Is Windows TCP/IP source routing PoC code available?

Full Disclosure full-disclosure RSS feed

Index | Next | Previous | View Threaded

seclists at syneticon

Jun 25, 2006, 11:03 AM

Post #1 of 4 (4052 views)
Permalink

Is Windows TCP/IP source routing PoC code available?

Greetings to the list,

As known, Microsoft did announce a security vulnerability concerning an
overflow within the TCP/IP stack implementation when source routing
fields are used:
http://www.microsoft.com/technet/security/bulletin/MS06-032.mspx

Is anyone aware of an exploit or POC code for this vulnerability? The
security bulletin states that Windows XP SP2 and Windows Server 2003 SP1
are "secure by default" due to disabled source routing. However, it does
not provide sufficient information regarding other operating systems
affected, so I would like to check out by myself.

Regards,

Denis Jedig
syneticon networks GbR

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

3APA3A at SECURITY

Jun 27, 2006, 2:28 AM

Post #2 of 4 (3894 views)
Permalink

Re: Is Windows TCP/IP source routing PoC code available? [In reply to]

Dear Denis Jedig,

Simple PoC and original message from Andrey Minaev, dated February, 2006
in Russian with short translation to English) are available from

http://www.security.nnov.ru/Fnews753.html

This is his original post regarding this issue as it was in his first
report to MS and it may not contain complete information because I am
not aware about results of further researches with Microsoft.

I don't know why Andrey have not published complete information yet. I
had no contacts with him after MS opened case on this issue and he asked
to hold information.

--Sunday, June 25, 2006, 10:03:24 PM, you wrote to vuln-dev[at]securityfocus.com:

DJ> Greetings to the list,

DJ> As known, Microsoft did announce a security vulnerability concerning an
DJ> overflow within the TCP/IP stack implementation when source routing
DJ> fields are used:
DJ> http://www.microsoft.com/technet/security/bulletin/MS06-032.mspx

DJ> Is anyone aware of an exploit or POC code for this vulnerability? The
DJ> security bulletin states that Windows XP SP2 and Windows Server 2003 SP1
DJ> are "secure by default" due to disabled source routing. However, it does
DJ> not provide sufficient information regarding other operating systems
DJ> affected, so I would like to check out by myself.

DJ> Regards,

DJ> Denis Jedig
DJ> syneticon networks GbR

--
~/ZARAZA
...без дубинки никогда не принимался он за программирование. (Лем)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

angel3000 at hotbox

Jun 28, 2006, 12:01 PM

Post #3 of 4 (3906 views)
Permalink

Re[2]: Is Windows TCP/IP source routing PoC code available? [In reply to]

Hi All,
At the request Microsoft I have not published the additional
information. I did not think, that the ZARAZA will publish simple POC
without my consent but to that to be, that to not pass. Denis you can
check up you system simple POC code from a site of the ZARAZA, only if
configuration system corresponds Windows 2000 + NAT a server. In all
other cases with services RRAS (Routing, VPN, Dialup Access) it will
not work.

Tuesday, June 27, 2006, 1:28:03 PM, you wrote:

> Dear Denis Jedig,

> Simple PoC and original message from Andrey Minaev, dated February, 2006
> in Russian with short translation to English) are available from

> http://www.security.nnov.ru/Fnews753.html

> This is his original post regarding this issue as it was in his first
> report to MS and it may not contain complete information because I am
> not aware about results of further researches with Microsoft.

> I don't know why Andrey have not published complete information yet. I
> had no contacts with him after MS opened case on this issue and he asked
> to hold information.

> --Sunday, June 25, 2006, 10:03:24 PM, you wrote to vuln-dev[at]securityfocus.com:

DJ>> Greetings to the list,

DJ>> As known, Microsoft did announce a security vulnerability concerning an
DJ>> overflow within the TCP/IP stack implementation when source routing
DJ>> fields are used:
DJ>> http://www.microsoft.com/technet/security/bulletin/MS06-032.mspx

DJ>> Is anyone aware of an exploit or POC code for this vulnerability? The
DJ>> security bulletin states that Windows XP SP2 and Windows Server 2003 SP1
DJ>> are "secure by default" due to disabled source routing. However, it does
DJ>> not provide sufficient information regarding other operating systems
DJ>> affected, so I would like to check out by myself.

DJ>> Regards,

DJ>> Denis Jedig
DJ>> syneticon networks GbR

--
Best regards,
Andrey Minaev mailto:angel3000[at]hotbox.ru

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

3APA3A at SECURITY

Jun 29, 2006, 6:08 AM

Post #4 of 4 (3907 views)
Permalink

Re: Re[2]: Is Windows TCP/IP source routing PoC code available? [In reply to]

Dear Andrey,

can you give your comments on why vulnerability that looks so dangerous
according to description (remote kernel-level buffer overflow in ICMP
processing, according to MS) rated "high", not "critical"? Are there
are mitigating factors for Windows 2003 with RRAS enabled or any RRAS
installation is vulnerable?

P.S. last instruction I've got was to publish information only after
vendor's fix. I did :)

--Wednesday, June 28, 2006, 11:01:51 PM, you wrote to 3APA3A[at]SECURITY.NNOV.RU:

М> Hi All,
М> At the request Microsoft I have not published the additional
М> information. I did not think, that the ZARAZA will publish simple POC
М> without my consent but to that to be, that to not pass. Denis you can
М> check up you system simple POC code from a site of the ZARAZA, only if
М> configuration system corresponds Windows 2000 + NAT a server. In all
М> other cases with services RRAS (Routing, VPN, Dialup Access) it will
М> not work.

М> Tuesday, June 27, 2006, 1:28:03 PM, you wrote:

>> Dear Denis Jedig,

>> Simple PoC and original message from Andrey Minaev, dated February, 2006
>> in Russian with short translation to English) are available from

>> http://www.security.nnov.ru/Fnews753.html

DJ>>> As known, Microsoft did announce a security vulnerability concerning an
DJ>>> overflow within the TCP/IP stack implementation when source routing
DJ>>> fields are used:
DJ>>> http://www.microsoft.com/technet/security/bulletin/MS06-032.mspx

--
~/ZARAZA
http://www.security.nnov.ru/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com