Flaws in SP2 security features, part II

With Service Pack 2 Microsoft restricted access to raw TCP/IP sockets, to limit the ability of malware to mount DDoS attacks and IP spoofing. However, this can be circumvented easily.

In Pocket speichern vorlesen Druckansicht
Lesezeit: 2 Min.

With Service Pack 2 Microsoft introduced a couple of new security features. However, some of them suffer from implementation flaws.

One of the new security features is the restricted access to raw sockets in SP2. By restricting the ability to send handcrafted packets, Microsoft wants to "limit the ability of malicious code to create distributed denial-of-service attacks and limit the ability to send spoofed packets" (see Microsoft's SP2 documentation).

On the downside, a lot of tools, we use for our daily work, do not work with those restrictions - or have to use strange workarounds. A lot of the features of the well known port scanner nmap did not work under Windows XP SP2 - until Fyodor came up with writing raw ethernet frames instead of IP packets (which btw does not help on other transport mediums).

The implementation of those restrictions on raw sockets contains at least one bug which makes them close to useless. They are coupled in some mysterious way to the firewall service. Issuing the command

net stop SharedAccess

stops the firewall and opens the access to raw sockets. You can test this easily by trying half open syn scans:

nmap -sS <somehost>

or spoofing IP adresses of UDP packets like in

nmap -sU -S 1.2.3.4 -e eth0 <somehost>

Neither command works with Windows XP SP2 and firewall enabled, but after you turn it off, they do.

Microsoft has been informed about the problem and promised:

Even though we do not consider this a security vulnerability, Microsoft is committed to fixing this bug as quickly as is possible.

The issue was brought to my attention by Holger Lembke who found it during his work on 3d traceroute. (ju)