[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Widnows XP TCP/IP Stack Security Issue (ARP for non RFC 1918 addresses)

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Widnows XP TCP/IP Stack Security Issue (ARP for non RFC 1918 addresses)
From: wborskey@xxxxxxxxx
Date: Sat, 24 Apr 2010 19:15:56 -0600

After putting the port my WAP is plugged into in a bridge group--cisco 
2600--and rejecting traffic at layer two from an XP machine, I noticed some odd 
and insecure behavior. At this point I can only assume what is causing it. 

After adding the MAC of a machine with active tcp/ip sockets to public ip 
addresses an odd thing happened. Instead of sending out DNS requests to resolve 
the hosts, the XP machine started sending ARP requests but ARP requests for ip 
public addresses! For example it sent out ARP requests like "Who has 
74.125.159.103". But not just once!

The XP machine was using a self assigned 169.254. 
Because the bridge group discard rule was discarding their traffic at layer 2. 
But somehow, I guess because it had open sockets to public IP addresses, it 
tried to ARP for those addresses to discover what network it was on an where to 
send the packets.

This is extremely dangerous for obvious reasons.

Follow-Ups:
- Re: Widnows XP TCP/IP Stack Security Issue (ARP for non RFC 1918 addresses)
  - From: Paul Schmehl

Prev by Date: Re: New vulnerabilities in CMS SiteLogic
Next by Date: New vulnerabilities in CMS SiteLogic
Previous by thread: Madirish Webmail 2.01 (basedir) RFI/LFI Vulnerability
Next by thread: Re: Widnows XP TCP/IP Stack Security Issue (ARP for non RFC 1918 addresses)
Index(es):
- Date
- Thread