June 9th, 2003, 04:25 PM
More issues with Win2003 Server
Yet another example of MS dropping the ball. It is not so much the vulnerablity as it is the point that Microsoft is quick to talk the talk but usually with no meaningful followup. How many times will they be told about an issue, acknowledge it, tell us that they have controls in place to prevent it in the future, then repeat the same damn problem?
This came right from BugTraq:
NGSSoftware Insight Security Research Advisory
Name: Etherleak information leak in Windows Server 2003 drivers Systems Affected: Windows Server 2003 (all versions)
Severity: Low/Medium Risk
Vendor URL: http://www.microsoft.com/windowsserver2003/
Author: Chris Paget (firstname.lastname@example.org)
Date: 9th June 2003
Advisory URL: http://www.nextgenss.com/advisories/etherleak-2003.txt
Advisory number: #NISR09062003
Several NIC device drivers that ship with Windows Server 2003 have been found to disclose information in a similar way to the 'Etherleak' frame padding issue announced by @Stake in January 2003. The original Etherleak paper and subsequent discussion was concerned with ICMP message padding; NGSSoftware Insight Security Research (NISR) have observed a similar issue within a TCP stream.
The original Etherleak paper from Ofir Arkin and Josh Anderson of @Stake (available at
concerns itself primarily with frame padding of ICMP messages with non-zero bytes; the padding bytes could potentially come from any area of physical memory. NISR have observed the issue within a TCP stream, particularly during the FIN-ACK exchange when a connection is gracefully closed. To date, NISR have not seen any discussion of Etherleak-style vulnerabilities within a TCP stream, only ICMP. It is possible that vendors are only testing for ethernet frame padding issues within ICMP and are neglecting TCP.
When the @Stake paper was released, Microsoft stated that tests would be added to the Microsoft driver certification program which specifically checked for this issue; NISR are releasing this advisory since there are multiple drivers shipped with Windows Server 2003 which are vulnerable and yet certified by Microsoft and included on the CD.
Vulnerable drivers include:
VIA Rhine II Compatible network card (integrated into some motherboards). AMD PCNet family network cards (Used by several versions of VMWare)
Both drivers are digitally signed by the Microsoft Windows Publisher, and are included on the Windows Server 2003 CD. Both drivers exhibit the same behaviour, that of padding frames with arbitrary data. The FIN-ACK packets exchanged during the graceful close of a TCP connection are a particularly good source of information; several bytes of potentially sensitive data (including POP3 passwords) has been observed appended to the data portion of Ethernet frames sent by these cards.
Microsoft's statement regarding this issue on the CERT website (available at http://www.kb.cert.org/vuls/id/JPLA-5BGP7V) states:
"Microsoft does not ship any Microsoft written drivers that contain the vulnerability. However, we have found some 3rd party drivers and samples in our documentation that, when compiled without alteration, could yield a driver that could contain this issue. We have made corrections to the samples in our documentation and are working with 3rd parties, and have included tests for this issue in our driver certification program."
Since some network drivers that are certified by Microsoft in their latest release of Windows are still exhibiting these issues, NISR recommends that Microsoft certification is not taken as a guarantee of comprehensive testing. Instead, a list is provided by CERT at
http://www.kb.cert.org/vuls/id/412115 of all related hardware and software vendors; we would recommend that customers refer to this list for the specific hardware vendor to determine exposure to this issue. Alternatively, contact the vendor of your networking hardware for further information.
NGSSoftware design, research and develop intelligent, advanced application security assessment scanners. Based in the United Kingdom, NGSSoftware have offices in the South of London and the East Coast of Scotland. NGSSoftware's sister company NGSConsulting, offers best of breed security consulting services, specialising in application, host and network security assessments.
Telephone +44 208 401 0070
Fax +44 208 401 0076
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
June 11th, 2003, 05:46 AM
i remember when @stakes warning was criticized heavily and no one paid attention to it with the release of 2003. i wouldn't be surprised, if they rolled it up on their next SP