Tuesday, November 08, 2011

Windows Vulnerable to Attacks Against Closed UDP Ports

I saw someone post about this Microsoft Security Bulletin, MS11-083 - Critical : Vulnerability in TCP/IP Could Allow Remote Code Execution (2588516). This vulnerability is in Windows Vista and Windows 7, and Windows Server 2008 and they've released a patch.

The interesting thing is that, "The vulnerability could allow remote code execution if an attacker sends a continuous flow of specially crafted UDP packets to a closed port on a target system."

"The vulnerability is caused when the Windows TCP/IP stack processes a continuous flow of specially crafted UDP packets, resulting in an integer overflow...An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode."

Crazy. It makes sense, though I'm a little surprised such holes are still around. I wonder if they are in other systems' TCP/IP stacks.

1 comment:

Anonymous said...

I wonder why nobody has realized that this might be a microsoft crafted "secret knock" backdoor that gives government agencies access to any windows machine.

If I were given the task to create a backdoor in a product, this would be the way to do it, because I could always deny it was there by design. You wouldn't wan't to be taken to court for deliberately making a back door, would you ?

When you think about it, a stream of specially crafted packets to a CLOSED port opens a door in. What else could this be. Packets sent to closed ports should go straight to the trash.