“Networking support has been extended throughout the lifetime of Windows 2000 and Windows XP, but it was getting harder and harder for Microsoft to keep improving the old code. So for Vista, they started over from ground zero and rewrote the networking stack from scratch. IPV6 was hacked onto Windows XP in a pretty basic way, but it is built directly into the Vista networking stack in a much more robust fashion. Of course, IPV4 is still going to be the most common IP interface for quite some time, so all the new networking improvements are visible there, too.”

The RFCs (documents that define the way the Internet “should” work) have been described by many as mere suggestions. It is up to the developer to correct interpret the description and translate that into source code, which eventually ends up playing on the Internet.
So when Microsoft decides to write an entirely new network protocol stack, guess what, we get a whole new round of “interpretations” to test and potential take advantage of using various tools:

  • Nmap – The basis of Nmap’s OS fingerprinting module is based on sending strange packets to a host and see what it sends back. The RFCs do not explicitly define how a host should respond to a TCP packet with the Syn/Fin/Rst flags set.
  • Hping – Earlier versions of Windows fell victim to a LAND attack, that is a packet which sets the source and destination IP addresses to the same value. Since the RFCs do not define what is supposed to happen, some versions of Windows blue screen (I think they could have come up with a better scenario, however they did fix this in later versions of Windows, then re-introduce it in a later version, then fix it again). Hping allows you to craft packets, setting various values in the packets headers, including the source and destination IP addresses.
  • Jolt/Tear Drop – Fragmentation attacks have been very popular in the past, again taking advantage of the way a host interprets packets, specifically ones that are fragmented (such as overlapping fragments, missing fragments, and never ending fragments).

Even fairly mature protocol stacks, such as the Linux TCP/IP stack, have recently uncovered vulnerabilities. What is interesting is that the original protocol stacks such as BSD are getting more resilient to attacks. I am very curious to see what kind of vulnerabilities are found in the new Windows Vista protocol stack.

Full Article

.com