XP SP2 Doesnt Supports RAW Sockets
Page 1 of 3 123 LastLast
Results 1 to 10 of 23

Thread: XP SP2 Doesnt Supports RAW Sockets

  1. #1
    Senior Member
    Join Date
    May 2003
    Posts
    472

    XP SP2 Doesnt Supports RAW Sockets

    Its really surprising to hear that win XP doesnt support raw sockets
    !!!! Here is one mail I got.

    ===============================================
    Fyodor mail:
    "When an Nmap user asked MS why security tools such as Nmap
    broke, MS responded [1]:

    We have removed support for TCP sends over RAW sockets in
    SP2. We surveyed applications and found the only apps using
    this on XP were people writing attack tools."
    ===============================================

    Well i dont understand how is that going to help microsoft ??? The attackers will run their tools from Linux !!!

    One case where i see its usefulness is in the case of virus writers who used raw socket programming to perform DoS. But still that wont affect much. coz vxwrites can use process injection to inject IE and attack.

    Seems this step of microsoft will still stop ppl from installing the sp2.

    Moreover though the %age of developer using RAW sockets is very less but still there are many........apart from NMAP many other security audit tools will find their way out of Win XP??

    aaah!!!!!!!!!! Only GOD or BILL Gates knows what M$ is upto??

    peace
    guru@linux:~> who I grep -i blonde I talk; cd ~; wine; talk; touch; unzip; touch; strip; gasp; finger; mount; fsck; more; yes; gasp; umount; make clean; sleep;

  2. #2
    Its really surprising to hear that win XP doesnt support raw sockets
    Not really. RAW socket handling is incredibly insecure. People demanded Windows become more secure and thus they took a step forward to secure the TCP/IP && UDP protocols to and from XP SP2 machines

    Well i dont understand how is that going to help microsoft ??? The attackers will run their tools from Linux !!!
    No they won't. Most virus writers and script kiddies are in windows because they know that OS better. They have to program for and test within an Windows OS enviroment. Microsoft isn't worried about Linux exploits, they are worried about Microsoft specific exploits. The removal of raw sockets will mean viri writer's ability to test locally on machines(even remotely) is now greatly limited even if they do switch to Linux. A virus written in a nix OS using raw sockets STILL won't work on an SP2 that denies raw sockets.

    One case where i see its usefulness is in the case of virus writers who used raw socket programming to perform DoS. But still that wont affect much. coz vxwrites can use process injection to inject IE and attack.
    This is assuming they first run an exploit to penetrate the firewall (ICF version 2 in SP2 helps prevent that), and then exploit the machine to gain process administrative privileges (kernel/process memory protection offered by SP2), and then inject an attack via IE (Which is being fixed as we speak, and MS already stated that they want people to use browsers other than IE)

    Seems this step of microsoft will still stop ppl from installing the sp2.
    Why? The amount of people who are geeks compared to who simply use windows is amazing. Most likley a 1:10 ratio. Those hundreds of thousands of people who just use computers on a minor basis (Rather than 31337ism) won't care about raw socket disability, and thus the mass majority of Windows uers won't be stopped.

    Moreover though the %age of developer using RAW sockets is very less but still there are many........apart from NMAP many other security audit tools will find their way out of Win XP??
    Oh well? So recode nmap to not use raw sockets. Hell, PLENTY of port scanners won't use RAW sockets on windows merely because it makes the product itself exploitable.

  3. #3
    Senior Member
    Join Date
    Feb 2004
    Posts
    620
    Originally posted here by pooh sun tzu
    Why? The amount of people who are geeks compared to who simply use windows is amazing. Most likley a 1:10 ratio. Those hundreds of thousands of people who just use computers on a minor basis (Rather than 31337ism) won't care about raw socket disability, and thus the mass majority of Windows uers won't be stopped.
    I'd be willing to bet that a large majority of those people don't even update their Windows. Ever.

    This is why, despite MS patches, worms are still spreading like wildfire.

  4. #4
    I'd be willing to bet that a large majority of those people don't even update their Windows. Ever.
    For those of you who have installed SP2, then you understand how HUGE of an impact it has upon notifying users of the importance of Automagic updates, even on the first reboot with SP2. That problem has been solved. Not completely, but ... well. try SP2 and see what I mean.

  5. #5
    BANNED
    Join Date
    Nov 2003
    Location
    San Diego
    Posts
    724
    I will as soon as they have it up on the update site. I've been checking off and on for the past couple of days.
    When death sleeps it dreams of you...

  6. #6
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255

    Re: XP SP2 Doesnt Supports RAW Sockets

    Originally posted here by NullDevice
    Its really surprising to hear that win XP doesnt support raw sockets
    Not really when you consider Win9x didn't, and XP Home was the first home use version of Windows to support raw sockets.

    Seems this step of microsoft will still stop ppl from installing the sp2.

    Moreover though the %age of developer using RAW sockets is very less but still there are many........apart from NMAP many other security audit tools will find their way out of Win XP??
    Not really, given that you can just install third party libraries to get the same functionality. Even if MS tries to actively block raw socket use, I'm certain there will be workarounds.

    Originally posted here by pooh sun tzu
    Not really. RAW socket handling is incredibly insecure.
    Please elaborate. Which type of security are you referring to? Application security of applications that utilize raw sockets, host OS security, or some other meaning?

    Oh well? So recode nmap to not use raw sockets. Hell, PLENTY of port scanners won't use RAW sockets on windows merely because it makes the product itself exploitable.
    It's simpler than that. It just means dropping in a third party library like WinPcap.

    Originally posted here by pooh sun tzu
    For those of you who have installed SP2, then you understand how HUGE of an impact it has upon notifying users of the importance of Automagic updates, even on the first reboot with SP2. That problem has been solved. Not completely, but ... well. try SP2 and see what I mean.
    The problem is, if these people that MJK refers to don't update their software, chances are they won't be benefiting from the new features in SP2, meaning they won't get nagged.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  7. #7
    Please elaborate. Which type of security are you referring to? Application security of applications that utilize raw sockets, host OS security, or some other meaning?
    I mean moreso on applications that have outbound and inbound handling for raw sockets. (please, if I'm misunderstanding how they work, correct me) By allowing raw handling outbound it does allow for more refined packet reading (AFAIK), but this also would mean inbound forgery packets could exploit that RAW check within the program. Of course I've never done an indepth study on raw packets, but from what I understand their ability to see things raw is also a caveeat torwards their own security?

    It's simpler than that. It just means dropping in a third party library like WinPcap.
    Not sure what you mean. Wasn't winPcap a requirement for raw packet handling anyways?

  8. #8
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    does this mean mr gibson (of grc.com fame) will be getting his jollies at last.. he has been claiming how bad they are for a couple or three years..

    As for good or bad.. Why would a home user NEED open raw sockets? for that matter most business applications.. certainly on the malware side of things.. i am not aware of anything that exploits this in xp.. but then I need to get my head out of a certain orifice and read some more info..

    cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  9. #9
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    I always thought the whole point behind the raw sockets was to facilitate the development of new networking protocols. Do users benefit from this? I guess not but it think it will make life a bit more difficult for developers of network protocols.

    Anyways, of all the viruses I've seen on windows I have never seen one that uses the raw sockets. And *nix has had raw sockets from day 1 I believe and AFAIK this hasn't been abused much.

    I mean moreso on applications that have outbound and inbound handling for raw sockets. (please, if I'm misunderstanding how they work, correct me) By allowing raw handling outbound it does allow for more refined packet reading (AFAIK), but this also would mean inbound forgery packets could exploit that RAW check within the program.
    You're confusing application security with OS security. If that program has a flaw in it's handling of raw sockets it's the programs fault not the OS. If you install an insecure program on the most secure OS (pick one you like) in the world it would make that machine vulnerable no matter how secure that OS is.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  10. #10
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    Raw sockets support must be removed (and was) just because of this: any application, in user mode, can write raw packets. Its is UNACCEPTABLE. Its totally against any network project
    After that removal, you can write an application to write raw packets, but:
    a) you must be in kernel mode and direct access to hardware
    b) you install a library that do so

    On *nix, you cant write raw packet at your will. You need to have priviledges to do that.
    Problem on Windows is MS removed that priviledge need when turn available "raw packet" support. Now MS fixed it. Thanks God.

    Im suprised that some ppl here NEVER give a greenie to MS, even when MS recognise its problems and fix it.
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides