Security Weekly
Content

Windows Vista New Network Stack

“Networking support has been extended throughout the lifetime of Windows 2000 and Windows XP, but it was getting harder and harder for Microsoft to keep improving the old code. So for Vista, they started over from ground zero and rewrote the networking stack from scratch. IPV6 was hacked onto Windows XP in a pretty basic way, but it is built directly into the Vista networking stack in a much more robust fashion. Of course, IPV4 is still going to be the most common IP interface for quite some time, so all the new networking improvements are visible there, too.”

The RFCs (documents that define the way the Internet “should” work) have been described by many as mere suggestions. It is up to the developer to correct interpret the description and translate that into source code, which eventually ends up playing on the Internet.
So when Microsoft decides to write an entirely new network protocol stack, guess what, we get a whole new round of “interpretations” to test and potential take advantage of using various tools:

  • Nmap – The basis of Nmap’s OS fingerprinting module is based on sending strange packets to a host and see what it sends back. The RFCs do not explicitly define how a host should respond to a TCP packet with the Syn/Fin/Rst flags set.
  • Hping – Earlier versions of Windows fell victim to a LAND attack, that is a packet which sets the source and destination IP addresses to the same value. Since the RFCs do not define what is supposed to happen, some versions of Windows blue screen (I think they could have come up with a better scenario, however they did fix this in later versions of Windows, then re-introduce it in a later version, then fix it again). Hping allows you to craft packets, setting various values in the packets headers, including the source and destination IP addresses.
  • Jolt/Tear Drop – Fragmentation attacks have been very popular in the past, again taking advantage of the way a host interprets packets, specifically ones that are fragmented (such as overlapping fragments, missing fragments, and never ending fragments).

Even fairly mature protocol stacks, such as the Linux TCP/IP stack, have recently uncovered vulnerabilities. What is interesting is that the original protocol stacks such as BSD are getting more resilient to attacks. I am very curious to see what kind of vulnerabilities are found in the new Windows Vista protocol stack.

Full Article

.com

Paul Asadoorian

Paul Asadoorian spent time “in the trenches” implementing security programs for a lottery company and then a large university. Paul is offensive, having spent several years as a penetration tester. He is the founder of the Security Weekly podcast network, offering freely available shows on the topics of information security and hacking. As Product Evangelist for Tenable Network Security, Paul built a library of materials on the topic of vulnerability management. When not hacking together embedded systems (or just plain hacking them) or coding silly projects in Python, Paul can be found researching his next set of headphones.Paul Asadoorian spent time “in the trenches” implementing security programs for a lottery company and then a large university. Paul is offensive, having spent several years as a penetration tester. He is the founder of the Security Weekly podcast network, offering freely available shows on the topics of information security and hacking. As Product Evangelist for Tenable Network Security, Paul built a library of materials on the topic of vulnerability management. When not hacking together embedded systems (or just plain hacking them) or coding silly projects in Python, Paul can be found researching his next set of headphones.

Related

Content
DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

Content
It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.