November 9th, 2011, 02:10 AM
Anyone read much about this one? Sounds pretty interesting. From the bulletin:
More info here:
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker sends a continuous flow of specially crafted UDP packets to a closed port on a target system.
I would love to see a POC.
Sorry I haven't been around much lately. AO doesn't seem to have much activity, and I certainly am not helping by all but deserting the site. I will try to post more security news as I come across it.
\"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"
November 10th, 2011, 07:47 AM
I've been trying to figure out if a machine is vulnerable if the built-in firewall is turned on. There's no mention of it, only that you should block those packets at the perimeter. Obviously those packets won't come anywhere near your machine if you do that.
I'm guessing turning on the firewall will prevent exploitation. Based on the simple fact that a closed UDP port will return an ICMP port unreachable and I have a feeling the integer that's being overflowed has something to do with keeping track of the response. If you turn on the Windows firewall there won't be a response at all.
The advisory is very unclear about this.
Experience is something you don't get until just after you need it.
November 12th, 2011, 01:06 PM
I'd bet that the Firewall would stop this one. Mainly because it says the Packets need to be a specific kind; Crafted Packets are easy to do with Hping, IPSorcery, and I think Hydra does that too, and I'm pretty sure NC, but if they don't hit the port because it's blocked, I think it would stop it from happening.
Heh, kinda funny though; All those kids who want to "Hax0r a 'puter" wondering how the heck they're gonna manage to compile an exploit, and allllllll this time, they just needed some packets and a way to activate a command of some sorts on the host.
I really need to dig out my Hydra source file.