XP SP2 Doesnt Supports RAW Sockets

[NullDevice]

Its really surprising to hear that win XP doesnt support raw sockets
!!!! Here is one mail I got.

===============================================
Fyodor mail:
"When an Nmap user asked MS why security tools such as Nmap
broke, MS responded [1]:

We have removed support for TCP sends over RAW sockets in
SP2. We surveyed applications and found the only apps using
this on XP were people writing attack tools."
===============================================

Well i dont understand how is that going to help microsoft ??? The attackers will run their tools from Linux !!!

One case where i see its usefulness is in the case of virus writers who used raw socket programming to perform DoS. But still that wont affect much. coz vxwrites can use process injection to inject IE and attack.

Seems this step of microsoft will still stop ppl from installing the sp2.

Moreover though the %age of developer using RAW sockets is very less but still there are many........apart from NMAP many other security audit tools will find their way out of Win XP??

aaah!!!!!!!!!! Only GOD or BILL Gates knows what M$ is upto??

peace

[pooh sun tzu]

Its really surprising to hear that win XP doesnt support raw sockets

Not really. RAW socket handling is incredibly insecure. People demanded Windows become more secure and thus they took a step forward to secure the TCP/IP && UDP protocols to and from XP SP2 machines

Well i dont understand how is that going to help microsoft ??? The attackers will run their tools from Linux !!!

No they won't. Most virus writers and script kiddies are in windows because they know that OS better. They have to program for and test within an Windows OS enviroment. Microsoft isn't worried about Linux exploits, they are worried about Microsoft specific exploits. The removal of raw sockets will mean viri writer's ability to test locally on machines(even remotely) is now greatly limited even if they do switch to Linux. A virus written in a nix OS using raw sockets STILL won't work on an SP2 that denies raw sockets.

One case where i see its usefulness is in the case of virus writers who used raw socket programming to perform DoS. But still that wont affect much. coz vxwrites can use process injection to inject IE and attack.

This is assuming they first run an exploit to penetrate the firewall (ICF version 2 in SP2 helps prevent that), and then exploit the machine to gain process administrative privileges (kernel/process memory protection offered by SP2), and then inject an attack via IE (Which is being fixed as we speak, and MS already stated that they want people to use browsers other than IE)

Seems this step of microsoft will still stop ppl from installing the sp2.

Why? The amount of people who are geeks compared to who simply use windows is amazing. Most likley a 1:10 ratio. Those hundreds of thousands of people who just use computers on a minor basis (Rather than 31337ism) won't care about raw socket disability, and thus the mass majority of Windows uers won't be stopped.

Moreover though the %age of developer using RAW sockets is very less but still there are many........apart from NMAP many other security audit tools will find their way out of Win XP??

Oh well? So recode nmap to not use raw sockets. Hell, PLENTY of port scanners won't use RAW sockets on windows merely because it makes the product itself exploitable.

[mjk]

Originally posted here by pooh sun tzu
Why? The amount of people who are geeks compared to who simply use windows is amazing. Most likley a 1:10 ratio. Those hundreds of thousands of people who just use computers on a minor basis (Rather than 31337ism) won't care about raw socket disability, and thus the mass majority of Windows uers won't be stopped.

I'd be willing to bet that a large majority of those people don't even update their Windows. Ever.

This is why, despite MS patches, worms are still spreading like wildfire.

[pooh sun tzu]

I'd be willing to bet that a large majority of those people don't even update their Windows. Ever.

For those of you who have installed SP2, then you understand how HUGE of an impact it has upon notifying users of the importance of Automagic updates, even on the first reboot with SP2. That problem has been solved. Not completely, but ... well. try SP2 and see what I mean.

[muert0]

I will as soon as they have it up on the update site. I've been checking off and on for the past couple of days.

[chsh]

Originally posted here by NullDevice
Its really surprising to hear that win XP doesnt support raw sockets

Not really when you consider Win9x didn't, and XP Home was the first home use version of Windows to support raw sockets.

Seems this step of microsoft will still stop ppl from installing the sp2.

Moreover though the %age of developer using RAW sockets is very less but still there are many........apart from NMAP many other security audit tools will find their way out of Win XP??

Not really, given that you can just install third party libraries to get the same functionality. Even if MS tries to actively block raw socket use, I'm certain there will be workarounds.

Originally posted here by pooh sun tzu
Not really. RAW socket handling is incredibly insecure.

Please elaborate. Which type of security are you referring to? Application security of applications that utilize raw sockets, host OS security, or some other meaning?

Oh well? So recode nmap to not use raw sockets. Hell, PLENTY of port scanners won't use RAW sockets on windows merely because it makes the product itself exploitable.

It's simpler than that. It just means dropping in a third party library like WinPcap.

Originally posted here by pooh sun tzu
For those of you who have installed SP2, then you understand how HUGE of an impact it has upon notifying users of the importance of Automagic updates, even on the first reboot with SP2. That problem has been solved. Not completely, but ... well. try SP2 and see what I mean.

The problem is, if these people that MJK refers to don't update their software, chances are they won't be benefiting from the new features in SP2, meaning they won't get nagged.

[pooh sun tzu]

Please elaborate. Which type of security are you referring to? Application security of applications that utilize raw sockets, host OS security, or some other meaning?

I mean moreso on applications that have outbound and inbound handling for raw sockets. (please, if I'm misunderstanding how they work, correct me) By allowing raw handling outbound it does allow for more refined packet reading (AFAIK), but this also would mean inbound forgery packets could exploit that RAW check within the program. Of course I've never done an indepth study on raw packets, but from what I understand their ability to see things raw is also a caveeat torwards their own security?

It's simpler than that. It just means dropping in a third party library like WinPcap.

Not sure what you mean. Wasn't winPcap a requirement for raw packet handling anyways?

[Und3ertak3r]

does this mean mr gibson (of grc.com fame) will be getting his jollies at last.. he has been claiming how bad they are for a couple or three years..

As for good or bad.. Why would a home user NEED open raw sockets? for that matter most business applications.. certainly on the malware side of things.. i am not aware of anything that exploits this in xp.. but then I need to get my head out of a certain orifice and read some more info..

cheers

[SirDice]

I always thought the whole point behind the raw sockets was to facilitate the development of new networking protocols. Do users benefit from this? I guess not but it think it will make life a bit more difficult for developers of network protocols.

Anyways, of all the viruses I've seen on windows I have never seen one that uses the raw sockets. And *nix has had raw sockets from day 1 I believe and AFAIK this hasn't been abused much.

I mean moreso on applications that have outbound and inbound handling for raw sockets. (please, if I'm misunderstanding how they work, correct me) By allowing raw handling outbound it does allow for more refined packet reading (AFAIK), but this also would mean inbound forgery packets could exploit that RAW check within the program.

You're confusing application security with OS security. If that program has a flaw in it's handling of raw sockets it's the programs fault not the OS. If you install an insecure program on the most secure OS (pick one you like) in the world it would make that machine vulnerable no matter how secure that OS is.

[cacosapo]

Raw sockets support must be removed (and was) just because of this: any application, in user mode, can write raw packets. Its is UNACCEPTABLE. Its totally against any network project
After that removal, you can write an application to write raw packets, but:
a) you must be in kernel mode and direct access to hardware
b) you install a library that do so

On *nix, you cant write raw packet at your will. You need to have priviledges to do that.
Problem on Windows is MS removed that priviledge need when turn available "raw packet" support. Now MS fixed it. Thanks God.

Im suprised that some ppl here NEVER give a greenie to MS, even when MS recognise its problems and fix it.