New M$ TCP/IP bug found.... got the NT Blue's yet?

Kelly E. Gibbs (kgibbs@BEST.COM)
Thu, 22 May 1997 16:40:43 -0700

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: test: "write(1)"
Previous message: Jauder Ho: "Re: write(1)"

I was testing a network where the packets were getting corrupted, between a
Windows NT 3.51 client and a Windows 4.0 SP2 server (Looks like upgrading
to SP3 makes no difference :-) ) As to the source of corruption, I haven't
determined that yet, but that's another problem. The chances of this
happening again are very slim, but for now I appreciate the source of
corruption, where ever it is!

The problem is that you can inject a packet with an invalid sequence
number, invalid Window size announcement (let's say 62K), with the
Urgent, FIN, RST, and a few other elements of the packet set just right,
and guess what happends.......... the server will cease to accept data.
Only the FIN, and ACK FIN make it; only if the next packet doesn't contain
the right window size. If the next packet contains an invalid window size
that is greater than the previous, then you can recreate the problem.

So, for those who have routers who think that by closing access to port 139
is safe, think again. This works very well over port 80, or any port for
that matter. I also tried this on several firewalls (without mentioning
names), and it worked. Several UNIX firewalls however, denied that packet,
but the NT firewalls that I tried all accepted it.

Several other M$ TCP/IP implemention problems have surfaced, but I am
looking into those now to validate them.

As soon as I formalize my findings, guess you will be seeing another HotFix
from M$.

Kelly Gibbs, kgibbs@best.com
Internet Security Instructor
Protocol Interface, Inc.

Next message: test: "write(1)"
Previous message: Jauder Ho: "Re: write(1)"