MS11-083

http://technet.microsoft.com/en-us/s...letin/ms11-083

Anyone read much about this one? Sounds pretty interesting. From the bulletin:

Quote:

---

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker sends a continuous flow of specially crafted UDP packets to a closed port on a target system.

---

More info here:

http://blogs.technet.com/b/srd/archi...-ms11-083.aspx


I would love to see a POC.

Sorry I haven't been around much lately. AO doesn't seem to have much activity, and I certainly am not helping by all but deserting the site. I will try to post more security news as I come across it.

I've been trying to figure out if a machine is vulnerable if the built-in firewall is turned on. There's no mention of it, only that you should block those packets at the perimeter. Obviously those packets won't come anywhere near your machine if you do that.

I'm guessing turning on the firewall will prevent exploitation. Based on the simple fact that a closed UDP port will return an ICMP port unreachable and I have a feeling the integer that's being overflowed has something to do with keeping track of the response. If you turn on the Windows firewall there won't be a response at all.

The advisory is very unclear about this.

I'd bet that the Firewall would stop this one. Mainly because it says the Packets need to be a specific kind; Crafted Packets are easy to do with Hping, IPSorcery, and I think Hydra does that too, and I'm pretty sure NC, but if they don't hit the port because it's blocked, I think it would stop it from happening.

Heh, kinda funny though; All those kids who want to "Hax0r a 'puter" wondering how the heck they're gonna manage to compile an exploit, and allllllll this time, they just needed some packets and a way to activate a command of some sorts on the host.

I really need to dig out my Hydra source file.