From nisr@nextgenss.com Mon Jun 9 15:26:06 2003 From: NGSSoftware Insight Security Research To: bugtraq@securityfocus.com Date: Mon, 09 Jun 2003 13:40:50 +0100 Subject: Etherleak information leak in Windows Server 2003 drivers NGSSoftware Insight Security Research Advisory Name: Etherleak information leak in Windows Server 2003 drivers Systems Affected: Windows Server 2003 (all versions) Severity: Low/Medium Risk Vendor URL: http://www.microsoft.com/windowsserver2003/ Author: Chris Paget (chrisp@ngssoftware.com) Date: 9th June 2003 Advisory URL: http://www.nextgenss.com/advisories/etherleak-2003.txt Advisory number: #NISR09062003 Description *********** Several NIC device drivers that ship with Windows Server 2003 have been found to disclose information in a similar way to the 'Etherleak' frame padding issue announced by @Stake in January 2003. The original Etherleak paper and subsequent discussion was concerned with ICMP message padding; NGSSoftware Insight Security Research (NISR) have observed a similar issue within a TCP stream. Details ******* The original Etherleak paper from Ofir Arkin and Josh Anderson of @Stake (available at http://www.atstake.com/research/advisories/2003/atstake_etherleak_report.pdf) concerns itself primarily with frame padding of ICMP messages with non-zero bytes; the padding bytes could potentially come from any area of physical memory. NISR have observed the issue within a TCP stream, particularly during the FIN-ACK exchange when a connection is gracefully closed. To date, NISR have not seen any discussion of Etherleak-style vulnerabilities within a TCP stream, only ICMP. It is possible that vendors are only testing for ethernet frame padding issues within ICMP and are neglecting TCP. When the @Stake paper was released, Microsoft stated that tests would be added to the Microsoft driver certification program which specifically checked for this issue; NISR are releasing this advisory since there are multiple drivers shipped with Windows Server 2003 which are vulnerable and yet certified by Microsoft and included on the CD. Vulnerable drivers include: VIA Rhine II Compatible network card (integrated into some motherboards). AMD PCNet family network cards (Used by several versions of VMWare) Both drivers are digitally signed by the Microsoft Windows Publisher, and are included on the Windows Server 2003 CD. Both drivers exhibit the same behaviour, that of padding frames with arbitrary data. The FIN-ACK packets exchanged during the graceful close of a TCP connection are a particularly good source of information; several bytes of potentially sensitive data (including POP3 passwords) has been observed appended to the data portion of Ethernet frames sent by these cards. Fix Information *************** Microsoft's statement regarding this issue on the CERT website (available at http://www.kb.cert.org/vuls/id/JPLA-5BGP7V) states: "Microsoft does not ship any Microsoft written drivers that contain the vulnerability. However, we have found some 3rd party drivers and samples in our documentation that, when compiled without alteration, could yield a driver that could contain this issue. We have made corrections to the samples in our documentation and are working with 3rd parties, and have included tests for this issue in our driver certification program." Since some network drivers that are certified by Microsoft in their latest release of Windows are still exhibiting these issues, NISR recommends that Microsoft certification is not taken as a guarantee of comprehensive testing. Instead, a list is provided by CERT at http://www.kb.cert.org/vuls/id/412115 of all related hardware and software vendors; we would recommend that customers refer to this list for the specific hardware vendor to determine exposure to this issue. Alternatively, contact the vendor of your networking hardware for further information. About NGSSoftware ***************** NGSSoftware design, research and develop intelligent, advanced application security assessment scanners. Based in the United Kingdom, NGSSoftware have offices in the South of London and the East Coast of Scotland. NGSSoftware's sister company NGSConsulting, offers best of breed security consulting services, specialising in application, host and network security assessments. http://www.ngssoftware.com/ http://www.ngsconsulting.com/ Telephone +44 208 401 0070 Fax +44 208 401 0076 enquiries@ngssoftware.com