[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
- From: GomoR <gomor-fd@xxxxxxxxx>
- Date: Wed, 9 Nov 2011 16:16:56 +0100
On Wed, Nov 09, 2011 at 06:45:59AM -0500, Dan Rosenberg wrote:
[..]
> While I'd love to see an exploit from a purely academic perspective,
> it doesn't appear that this is the type of bug where exploitation is
> going to be reliable enough to support a worm. The reference counter
> in question is most likely 32 bits, but even giving the benefit of the
> doubt and saying it's a 16-bit refcount, that's still 2^16 events
> (probably receiving a certain UDP packet) that need to be triggered
> precisely in order to cause a refcount overflow and then trigger a
> remote kernel use-after-free condition, which wouldn't be trivial to
> exploit even by itself. On an unreliable network like the Internet,
> it seems unlikely that the kind of traffic volume required to trigger
> this bug could be generated without dropping a single packet.
> Reliable DoS seems more likely though.
I would love to hear about results running this exploit/PoC/whatever
against a xBSD TCP/IP stack.
Microsoft Windows TCP/IP stack looks so BSDish to me since Windows Vista.
But that's probably because they "rewrote" it completely at that
time (with integration of their "new" IPv6 stack also).
Joke: "Chuck Norris can exploit sockets that aren't even listening."
--
^ ___ ___ http://www.GomoR.org/ <-+
| / __ |__/ Senior Security Engineer |
| \__/ | \ ---[ zsh$ alias psed='perl -pe ' ]--- |
+--> Net::Frame <=> http://search.cpan.org/~gomor/ <---+
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/