Windows Vista New Network Stack

March 22, 2006

“Networking support has been extended throughout the lifetime of Windows 2000 and Windows XP, but it was getting harder and harder for Microsoft to keep improving the old code. So for Vista, they started over from ground zero and rewrote the networking stack from scratch. IPV6 was hacked onto Windows XP in a pretty basic way, but it is built directly into the Vista networking stack in a much more robust fashion. Of course, IPV4 is still going to be the most common IP interface for quite some time, so all the new networking improvements are visible there, too.”

The RFCs (documents that define the way the Internet “should” work) have been described by many as mere suggestions. It is up to the developer to correct interpret the description and translate that into source code, which eventually ends up playing on the Internet.
So when Microsoft decides to write an entirely new network protocol stack, guess what, we get a whole new round of “interpretations” to test and potential take advantage of using various tools:

Nmap – The basis of Nmap’s OS fingerprinting module is based on sending strange packets to a host and see what it sends back. The RFCs do not explicitly define how a host should respond to a TCP packet with the Syn/Fin/Rst flags set.
Hping – Earlier versions of Windows fell victim to a LAND attack, that is a packet which sets the source and destination IP addresses to the same value. Since the RFCs do not define what is supposed to happen, some versions of Windows blue screen (I think they could have come up with a better scenario, however they did fix this in later versions of Windows, then re-introduce it in a later version, then fix it again). Hping allows you to craft packets, setting various values in the packets headers, including the source and destination IP addresses.
Jolt/Tear Drop – Fragmentation attacks have been very popular in the past, again taking advantage of the way a host interprets packets, specifically ones that are fragmented (such as overlapping fragments, missing fragments, and never ending fragments).

Even fairly mature protocol stacks, such as the Linux TCP/IP stack, have recently uncovered vulnerabilities. What is interesting is that the original protocol stacks such as BSD are getting more resilient to attacks. I am very curious to see what kind of vulnerabilities are found in the new Windows Vista protocol stack.

Full Article

.com

Paul Asadoorian

Paul Asadoorian is the founder of Security Weekly, which was acquired by CyberRisk Alliance. Paul spent time “in the trenches” implementing security programs for a lottery company and then a large university. Paul is offensive, having spent several years as a penetration tester. As Product Evangelist for Tenable Network Security, Paul built a library of materials on the topic of vulnerability management. When not hacking together embedded systems (or just plain hacking them) or coding silly projects in Python, Paul can be found researching his next set of headphones.

Windows Vista New Network Stack

Related

Majority of YouTube accounts Google terminated in Q3 linked to China

DevSecOps Scanning Challenges & Tips

It Should Be ‘Cybersecurity Culture Month’

Get daily email updates