From H.Karrenbeld@A1.NL Sat Mar 14 02:22:27 1998
From: Henri Karrenbeld
X-Sender: hkarren@mail.a1.nl (Unverified)
To: BUGTRAQ@NETSPACE.ORG
Date: Thu, 12 Mar 1998 14:05:44 +0100
Subject: Re: Winsock 2.0 DoS
At 21:24 11-03-98 -0500, you wrote:
>If a user has the newest winsock patch for winsock 2.0, which can be
>located at :
>
>http://www.microsoft.com/windows95/info/ws2.htm
>
>and attempts to do an address lookup on a address which doesn't exist
>and is 13 characters long winsock will fault. This has been reproduced
>on several computers and it takes a couple of seconds of looking up to
>occur. This happens with every winsock program I've tested including
>Netscape 3, Ie 3.0, and MS ping. Example sites that work are:
>
>www.socois.cool
>www.pcorner.org
>blahd.yahoo.com
>
>This apparently only works on names that are exactly 13 characters long
>(not including periods).
>
>This is dangerous because web pages can simply redirect browswers to
>these pages or put img sources equal to nonexistent address entries
>which will crash winsock.
I can confirm this happens in the following configuration:
Windows95 + SP1 + msdun12.exe + ws2setup.exe + vtcpup20.exe + vipup20.exe
(patched in this order). Since ws2setup.exe essentially upgrades Win95 to
OSR2 this should imply OSR2 is also vulnerable to this.
The symptoms that I could see were the following:
The application doing the DNS lookup (I used the lookup function of
WSPING32 of WSFTP Pro) makes the entire system freeze. ALT-CTRL-DEL shows
this application as 'not responding'. Killing the program off frees the
system again. However most programs using winsock at the time, including
network stuff started after that, lost the network. However, doing a 'ping'
from the commandline with a numerical IP address still worked, so the stack
doesn't appear to be entirely dead. However it looks like this is using a
different part of the stack, because doing a manual 'ping' with the same
address that knocked WSPING32 of its feet (blhad.yahoo.com) merely resulted
in an 'unknown host' message.
The problem does not occur when the network is not active at the moment the
'13-char killer' is dropped. I _have_ to be dialed in to make it crash.
So if you want to test your system be sure:
1) To test it with a Windows95 application: the command line utils don't
crash
the stack and neither does a crash influence them
2) You can unfreeze your system by killing off the offending application,
for the network to come back you need to reboot though. Maybe simply
getting
rid of the TCP/IP stack, like by disabling the network card, would also
help (can't test that here, no Ethernet at home ;-))
Could other people confirm the following:
* Does this only happen with the newest WS2 or also with the one that comes
wit
the Winsock SDK that was released previously?
* Does this also happen when vipupd20.exe and vtcpupd20.exe have not been
used?
If this is the case I am seriously considering downgrading back to winsock 1.1
$) Henri
$) Henri
=-=
From mathboy@MOLOKA.VELOCET.CA Sat Mar 14 02:22:43 1998
From: Velocet
To: BUGTRAQ@NETSPACE.ORG
Date: Thu, 12 Mar 1998 14:29:22 -0500
Subject: more testing of Winsock 2.0 DoS
> From: John Robinson
>
> If a user has the newest winsock patch for winsock 2.0:
> http://www.microsoft.com/windows95/info/ws2.htm
>
> and attempts to do an address lookup on a address which doesn't exist
> and is 13 characters long winsock will fault.
I thought this was a troll it seemed so ridiculous. Could MS be THAT
bad at coding *AND* testing?! To even attempt to fathom what kind of
coding resulted in this magic number popping up makes me shudder. I
investigated for myself (for once ;):
Disclaimer: This will probably end up coming out as gleeful M$-bashing
""""""""""" here, but last night I spent 5hrs working on a proposal
bid, trying to think of why the client's insitence on "NT+IIS+MS SQL+
Coldfusion" was a worse idea than FreeBSD or BSDI, Apache 1.2.5,
PHP 3.0 and Postgres or Oracle, but I shuddered everytime I wrote the
first 4 letters of "FreeBSD" and imagined the questions we'll get if we
even make it to the prelim meetings. If you have any suggestions, feel
free to email me! :)
[ please see note re Unix+NT interop. mailing list proposal at bottom ]
------------------------------------------------------------------------------
Summary: My installation of Winsock 2.0 faults on 15 characters, not 13.
""""""""
Going back to 1.1 with the scripts provided with the upgrade
makes things ok again (tho you may be open to attacks (newTear?)
that WS 2.0 'fixes').
== DETAILS, EXPLOITS, and NEW MAILING LIST PROPOSAL FOLLOW ====================
Exploits, Limitations and Further Investigation:
""""""""""""""""""""""""""""""""""""""""""""""""
- Any exploit would need to cause the target machine to do a
sort of lookup on a bogus domain name of the magic length
(successful exploits would include all lengths of name from
9 to many (32?) characters to be sure).
- This could include sending email with a URL or embedded image
tag to someone, or seeding your webpage with bogus hostnames
of 9-32 characters length.
- For now, I cant see any way of causing the exploit to
occur on an UNATTENDED machine. The user must be lead to
click on a URL either in email, or by visting a webpage.
(Perhaps r00tshell or others can suggest a way a call to a
remote Win95 box via SMB messages can cause a forward lookup
on a bogus domain.)
- I am not sure when Win95/SMB does 'reverse' lookups, but
remember 'reverse' checks "*.in-addr.arpa", say for
logging the hostname attached to an incoming IP to a Win95
server app (War-FTPD, SMTPD, Personal Web Server, etc.)
(eg: 24.in-addr.arpa may hose my box at 15 chars.)
(Sorry just thot of this now and aint rebooting linux to check.)
Fixes: - DONT 'upgrade' to Winsock 2.0. If you have, downgrade.
"""""" - Do not be on a dedicated internet connection without a firewall
and a sharp network admin responsible for it.
Commentary: This patch looks like its been out for a while now, and
""""""""""" there are faily good notes on how to install it, etc, on
MS's site. It doesnt say exactly what it fixes, if it protects against
Nuke, Tear or NewTear or any other recent attacks.
But, HOW THE HELL do they get away with this? The US is worried about
'cyberterrorism'? Well they should investigate MS for practices which
are putting the North American economy at undue risk of attack. If MS
is gonna push their marketing THAT hard, with a small country's worth
of money, such that they strongly affect they way an entire continent
does business, then they should be able to back it up with a quality
product that protects consumers and economic infrastructure. Instead,
businesses are left open to TRIVIALLY implimented and widespread
security attacks.
The government should begin investigating and applying penalties,
perhaps equally to all software development firms, at least starting
with internetworked operating systems. (Or perhaps professional
engineering accreditations are starting to show their need in this
field. We dont like bridges collapsing, but do we like our intensive
care equipment software failing under a broken OS?)
If MS is going to enjoy what some proponents are terming "a natural
monopoly" (see recent Scientific American commentary re such), then
they should come under scrutiny for quality of service. Oh ya, they're
not a monopoly, and the market will realise who has the best product.
Not. Will BYTE or PC Mag even mention this massive WS 2.0 gaffe? Will
the public care?
[rant off]
------------------------------------------------------------------------------
Methods:
""""""""
- i wrote down a list of 14 hostnames, 2 different ones for each
'length' of name including the '.'s, all assuredly bogus (j21kaa.foo
for eg).
- under the old winsock 1.1, I pung, telnetted and made IE 3.0 go visit
each of the 14 names. No problems (host not found each time).
- I ran ws2setup and the install ran fine. Then I hit the sites with
ping, telnet and IE 3.0 again and laughed with a mix of
self-righteousness and fear.
Observations:
"""""""""""""
- At 15 characters ONLY on my system did the winsock stack get hosed
under all of ping, telnet and IE 3.0.
- Twice out of the 12 attempts and subsequent reboots did my entire
Win95 just wedge right up to the mouse. Hard reset only option.
ONCE Winsock 2.0 is HOSED:
- In all cases, "shutting down my computer" left me with the shutdown
screen, but did not reboot. I had to go thru scandisk each time.
- In all cases, other networking apps were either hosed or partially
functional. In many cases I can see data being lost with any app that
calls Winsock after some other app hoses the stack (ie Word emailing
out a document by itself, for eg, may hose itself and your changes
after someone sends your Eudora some email with a bogus hostname link
in it that you innocently clicked).
- Launching new networkng apps brought up the blue screen each time,
or did as soon as any networking related function was attempted.
Many apps I never suspected of having any networking code in them
seemed to be affected as well (I am not sure if this applies to all
file open/save dialogues, which have Network.. access options in them.)
==============================================================================
WARNING: Non-direct bugtraq info here. Unix+NT interoperability mailing list
proposal (or verification of prior existence) content follows.
Is there a support list out there to help make Unix-based solutions
match or best MS/NT based ones? There can sometimes be a large lack of
info out there on what is comparable between Unix and NT, and/or how
Unix can interface with NT or vice versa with various apps and servers.
(How does PHP mix with MS SQL for eg? Can Access talk to Postgres? etc.)
If this exists already, let me know please. If someone wants to start
this, or if I should, please email me. I wanna know what kind of
interest there is in this. I felt quite helpless trying to directly
challenge the proposal guidelines which said MS+NT all the way, no
substitutes accepted. I am sure this happens alot. Educating ourselves
is the first step to educating our clients.
I'd like to engender that quality in the list's charter as well, to avoid
MS bashing and instead focusing on facts and interoperability. MS bashing
would obviously lead us nowhere.
Email me: math @ velocet . ca
/kc
--
Ken Chase Velocet Communications Inc.
math @ velocet.ca www.velocet.ca Toronto CANADA
--
"Sometimes two [harmless] words, when put together, strike fear in the
hearts of men -- Microsoft Wallet." - Dave Gilbert
=-=
From johnr@CSH.RIT.EDU Sat Mar 14 02:23:43 1998
From: John Robinson
X-Sender: soco@mail.csh.rit.edu
To: BUGTRAQ@NETSPACE.ORG
Date: Wed, 11 Mar 1998 21:24:19 -0500
Subject: Winsock 2.0 DoS
If a user has the newest winsock patch for winsock 2.0, which can be
located at :
http://www.microsoft.com/windows95/info/ws2.htm
and attempts to do an address lookup on a address which doesn't exist
and is 13 characters long winsock will fault. This has been reproduced
on several computers and it takes a couple of seconds of looking up to
occur. This happens with every winsock program I've tested including
Netscape 3, Ie 3.0, and MS ping. Example sites that work are:
www.socois.cool
www.pcorner.org
blahd.yahoo.com
This apparently only works on names that are exactly 13 characters long
(not including periods).
This is dangerous because web pages can simply redirect browswers to
these pages or put img sources equal to nonexistent address entries
which will crash winsock.
johnr
------------------------------------------------------------------------
John Robinson
johnr@csh.rit.edu jjr4693@rit.edu robinson@foothills.net
"Twenty years from now you will be more disappointed by the things you
didn't do than by the things you did do. So throw off the bowlines. Sail
away from the safe harbor. Catch the trade winds in your sails. Explore.
Dream. Discover." Mark Twain
------------------------------------------------------------------------
=-=
From Russ.Cooper@RC.ON.CA Sat Mar 14 14:06:46 1998
From: Russ
To: BUGTRAQ@NETSPACE.ORG
Date: Sat, 14 Mar 1998 02:25:40 -0500
Subject: Win95 Winsock 2.0 DoS
This error is not present in Windows '98, which also uses Winsock 2.0.
Tested with Microsoft Client for Networks installed and active.
Cheers,
Russ - NTBugtraq moderator
http://www.ntbugtraq.com
=-=
From: "Brian S. McWilliams"
X-Sender: redbud-bm@pop-dnh.mv.net
To: BUGTRAQ@NETSPACE.ORG
Date: Fri, 1 May 1998 22:57:29 -0400
Subject: Re: Winsock 2.0 DoS
Appears Microsoft has quietly addressed the Winsock 2.0 DoS bug.
http://support.microsoft.com/support/kb/articles/q184/2/42.asp
"The Vnbt.386 file installed into the Windows\System folder had an internal
problem: any attempt at NetBIOS name resolution on a name of 15 characters
containing at least two periods (.) resulted in internal memory problems.
The name resolution could be by any method (such as a NET USE command,
double-clicking a Network Neighborhood resource, or programmatically by a
program). Enabling or disabling DNS made no difference, the problem
occurred if any of the forms listed above was passed to Vnbt.386.
This problem could cause Windows to stop responding (hang) without warning.
Note that the Vnbt.386 file is TCP/IP-specific; NetBIOS name resolution on
NetBEUI and IPX/SPX were not affected. "
-Brian
|