I thought this was a troll it seemed so ridiculous. Could MS be THAT
bad at coding *AND* testing?! To even attempt to fathom what kind of
coding resulted in this magic number popping up makes me shudder. I
investigated for myself (for once ;):
Disclaimer: This will probably end up coming out as gleeful M$-bashing
""""""""""" here, but last night I spent 5hrs working on a proposal
bid, trying to think of why the client's insitence on "NT+IIS+MS SQL+
Coldfusion" was a worse idea than FreeBSD or BSDI, Apache 1.2.5,
PHP 3.0 and Postgres or Oracle, but I shuddered everytime I wrote the
first 4 letters of "FreeBSD" and imagined the questions we'll get if we
even make it to the prelim meetings. If you have any suggestions, feel
free to email me! :)
[ please see note re Unix+NT interop. mailing list proposal at bottom ]
------------------------------------------------------------------------------
Summary: My installation of Winsock 2.0 faults on 15 characters, not 13.
""""""""
Going back to 1.1 with the scripts provided with the upgrade
makes things ok again (tho you may be open to attacks (newTear?)
that WS 2.0 'fixes').
== DETAILS, EXPLOITS, and NEW MAILING LIST PROPOSAL FOLLOW ====================
Exploits, Limitations and Further Investigation:
""""""""""""""""""""""""""""""""""""""""""""""""
- Any exploit would need to cause the target machine to do a
sort of lookup on a bogus domain name of the magic length
(successful exploits would include all lengths of name from
9 to many (32?) characters to be sure).
- This could include sending email with a URL or embedded image
tag to someone, or seeding your webpage with bogus hostnames
of 9-32 characters length.
- For now, I cant see any way of causing the exploit to
occur on an UNATTENDED machine. The user must be lead to
click on a URL either in email, or by visting a webpage.
(Perhaps r00tshell or others can suggest a way a call to a
remote Win95 box via SMB messages can cause a forward lookup
on a bogus domain.)
- I am not sure when Win95/SMB does 'reverse' lookups, but
remember 'reverse' checks "*.in-addr.arpa", say for
logging the hostname attached to an incoming IP to a Win95
server app (War-FTPD, SMTPD, Personal Web Server, etc.)
(eg: 24.in-addr.arpa may hose my box at 15 chars.)
(Sorry just thot of this now and aint rebooting linux to check.)
Fixes: - DONT 'upgrade' to Winsock 2.0. If you have, downgrade.
"""""" - Do not be on a dedicated internet connection without a firewall
and a sharp network admin responsible for it.
Commentary: This patch looks like its been out for a while now, and
""""""""""" there are faily good notes on how to install it, etc, on
MS's site. It doesnt say exactly what it fixes, if it protects against
Nuke, Tear or NewTear or any other recent attacks.
But, HOW THE HELL do they get away with this? The US is worried about
'cyberterrorism'? Well they should investigate MS for practices which
are putting the North American economy at undue risk of attack. If MS
is gonna push their marketing THAT hard, with a small country's worth
of money, such that they strongly affect they way an entire continent
does business, then they should be able to back it up with a quality
product that protects consumers and economic infrastructure. Instead,
businesses are left open to TRIVIALLY implimented and widespread
security attacks.
The government should begin investigating and applying penalties,
perhaps equally to all software development firms, at least starting
with internetworked operating systems. (Or perhaps professional
engineering accreditations are starting to show their need in this
field. We dont like bridges collapsing, but do we like our intensive
care equipment software failing under a broken OS?)
If MS is going to enjoy what some proponents are terming "a natural
monopoly" (see recent Scientific American commentary re such), then
they should come under scrutiny for quality of service. Oh ya, they're
not a monopoly, and the market will realise who has the best product.
Not. Will BYTE or PC Mag even mention this massive WS 2.0 gaffe? Will
the public care?
[rant off]
------------------------------------------------------------------------------
Methods:
""""""""
- i wrote down a list of 14 hostnames, 2 different ones for each
'length' of name including the '.'s, all assuredly bogus (j21kaa.foo
for eg).
- under the old winsock 1.1, I pung, telnetted and made IE 3.0 go visit
each of the 14 names. No problems (host not found each time).
- I ran ws2setup and the install ran fine. Then I hit the sites with
ping, telnet and IE 3.0 again and laughed with a mix of
self-righteousness and fear.
Observations:
"""""""""""""
- At 15 characters ONLY on my system did the winsock stack get hosed
under all of ping, telnet and IE 3.0.
- Twice out of the 12 attempts and subsequent reboots did my entire
Win95 just wedge right up to the mouse. Hard reset only option.
ONCE Winsock 2.0 is HOSED:
- In all cases, "shutting down my computer" left me with the shutdown
screen, but did not reboot. I had to go thru scandisk each time.
- In all cases, other networking apps were either hosed or partially
functional. In many cases I can see data being lost with any app that
calls Winsock after some other app hoses the stack (ie Word emailing
out a document by itself, for eg, may hose itself and your changes
after someone sends your Eudora some email with a bogus hostname link
in it that you innocently clicked).
- Launching new networkng apps brought up the blue screen each time,
or did as soon as any networking related function was attempted.
Many apps I never suspected of having any networking code in them
seemed to be affected as well (I am not sure if this applies to all
file open/save dialogues, which have Network.. access options in them.)
==============================================================================
WARNING: Non-direct bugtraq info here. Unix+NT interoperability mailing list
proposal (or verification of prior existence) content follows.
Is there a support list out there to help make Unix-based solutions
match or best MS/NT based ones? There can sometimes be a large lack of
info out there on what is comparable between Unix and NT, and/or how
Unix can interface with NT or vice versa with various apps and servers.
(How does PHP mix with MS SQL for eg? Can Access talk to Postgres? etc.)
If this exists already, let me know please. If someone wants to start
this, or if I should, please email me. I wanna know what kind of
interest there is in this. I felt quite helpless trying to directly
challenge the proposal guidelines which said MS+NT all the way, no
substitutes accepted. I am sure this happens alot. Educating ourselves
is the first step to educating our clients.
I'd like to engender that quality in the list's charter as well, to avoid
MS bashing and instead focusing on facts and interoperability. MS bashing
would obviously lead us nowhere.
Email me: math @ velocet . ca
/kc
-- Ken Chase Velocet Communications Inc. math @ velocet.ca www.velocet.ca Toronto CANADA-- "Sometimes two [harmless] words, when put together, strike fear in the hearts of men -- Microsoft Wallet." - Dave Gilbert