Date: 16.11.2005 Author: Juergen Schmidt, heise Security Original article: http://www.heise.de/security/artikel/53297 German version: http://www.heise.de/security/news/meldung/53306 Flaws in SP2 security features, part II With Service Pack 2 Microsoft introduced a couple of new security features. However, some of them suffer from implementation flaws. One of the new security features is the restricted access to raw sockets in SP2. By restricting the ability to send handcrafted packets, Microsoft wants to "limit the ability of malicious code to create distributed denial-of-service attacks and limit the ability to send spoofed packets" (see http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2netwk.mspx#EHAA). On the downside, a lot of tools, we use for our daily work, do not work with those restrictions -- or have to use strange workarounds. A lot of the features of the well known port scanner nmap did not work under Windows XP SP2 -- until Fyodor came up with writing raw ethernet frames instead of IP packets (which btw does not help on other transport mediums). The implementation of those restrictions on raw sockets contains at least one bug which makes them close to useless. They are coupled in some mysterious way to the firewall service. Issuing the command net stop SharedAccess stops the firewall and opens the access to raw sockets. You can test this easily by trying half open syn scans: nmap -sS [somehost] or spoofing IP adresses of UDP packets like in nmap -sU -S 1.2.3.4 -e eth0 [somehost] Neither command works with Windows XP SP2 and firewall enabled, but after you turn it off, they do. Microsoft has been informed about the problem and promised: "Even though we do not consider this a security vulnerability, Microsoft is committed to fixing this bug as quickly as is possible." The issue was brought to my attention by Holger Lembke who found it during his work on "3d traceroute" (http://www.d3tr.com). bye, ju -- Juergen Schmidt heise Security www.heisec.de Heise Zeitschriften Verlag, Helstorferstr. 7, D-30625 Hannover GPG-Key: 0x38EA4970, 5D7B 476D 84D5 94FF E7C5 67BE F895 0A18 38EA 4970