Windows Vista New Network Stack


“Networking support has been extended throughout the lifetime of Windows 2000 and Windows XP, but it was getting harder and harder for Microsoft to keep improving the old code. So for Vista, they started over from ground zero and rewrote the networking stack from scratch. IPV6 was hacked onto Windows XP in a pretty basic way, but it is built directly into the Vista networking stack in a much more robust fashion. Of course, IPV4 is still going to be the most common IP interface for quite some time, so all the new networking improvements are visible there, too.”

The RFCs (documents that define the way the Internet “should” work) have been described by many as mere suggestions. It is up to the developer to correct interpret the description and translate that into source code, which eventually ends up playing on the Internet.
So when Microsoft decides to write an entirely new network protocol stack, guess what, we get a whole new round of “interpretations” to test and potential take advantage of using various tools:

  • Nmap – The basis of Nmap’s OS fingerprinting module is based on sending strange packets to a host and see what it sends back. The RFCs do not explicitly define how a host should respond to a TCP packet with the Syn/Fin/Rst flags set.
  • Hping – Earlier versions of Windows fell victim to a LAND attack, that is a packet which sets the source and destination IP addresses to the same value. Since the RFCs do not define what is supposed to happen, some versions of Windows blue screen (I think they could have come up with a better scenario, however they did fix this in later versions of Windows, then re-introduce it in a later version, then fix it again). Hping allows you to craft packets, setting various values in the packets headers, including the source and destination IP addresses.
  • Jolt/Tear Drop – Fragmentation attacks have been very popular in the past, again taking advantage of the way a host interprets packets, specifically ones that are fragmented (such as overlapping fragments, missing fragments, and never ending fragments).

Even fairly mature protocol stacks, such as the Linux TCP/IP stack, have recently uncovered vulnerabilities. What is interesting is that the original protocol stacks such as BSD are getting more resilient to attacks. I am very curious to see what kind of vulnerabilities are found in the new Windows Vista protocol stack.

Full Article


Paul Asadoorian

Paul Asadoorian is currently the Principal Security Evangelist for Eclypsium, focused on firmware and supply chain security awareness. Paul’s passion for firmware security extends back many years to the WRT54G hacking days and reverse engineering firmware on IoT devices for fun. Paul and his long-time podcast co-host Larry Pesce co-authored the book “WRTG54G Ultimate Hacking” in 2007, which fueled the firmware hacking fire even more. Paul has worked in technology and information security for over 20 years, holding various security and engineering roles in a lottery company, university, ISP, independent penetration tester, and security product companies such as Tenable. In 2005 Paul founded Security Weekly, a weekly podcast dedicated to hacking and information security. In 2020 Security Weekly was acquired by the Cyberrisk Alliance. Paul is still the host of one of the longest-running security podcasts, Paul’s Security Weekly, he enjoys coding in Python & telling everyone he uses Linux.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.