MS11-083
Results 1 to 3 of 3

Thread: MS11-083

  1. #1
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,188

    MS11-083

    http://technet.microsoft.com/en-us/s...letin/ms11-083

    Anyone read much about this one? Sounds pretty interesting. From the bulletin:

    This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker sends a continuous flow of specially crafted UDP packets to a closed port on a target system.
    More info here:

    http://blogs.technet.com/b/srd/archi...-ms11-083.aspx


    I would love to see a POC.

    Sorry I haven't been around much lately. AO doesn't seem to have much activity, and I certainly am not helping by all but deserting the site. I will try to post more security news as I come across it.
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    I've been trying to figure out if a machine is vulnerable if the built-in firewall is turned on. There's no mention of it, only that you should block those packets at the perimeter. Obviously those packets won't come anywhere near your machine if you do that.

    I'm guessing turning on the firewall will prevent exploitation. Based on the simple fact that a closed UDP port will return an ICMP port unreachable and I have a feeling the integer that's being overflowed has something to do with keeping track of the response. If you turn on the Windows firewall there won't be a response at all.

    The advisory is very unclear about this.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    AO BOFH: Luser Abuser BModeratorFH gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    I'd bet that the Firewall would stop this one. Mainly because it says the Packets need to be a specific kind; Crafted Packets are easy to do with Hping, IPSorcery, and I think Hydra does that too, and I'm pretty sure NC, but if they don't hit the port because it's blocked, I think it would stop it from happening.

    Heh, kinda funny though; All those kids who want to "Hax0r a 'puter" wondering how the heck they're gonna manage to compile an exploit, and allllllll this time, they just needed some packets and a way to activate a command of some sorts on the host.

    I really need to dig out my Hydra source file.
    Kill the lights, let the candles burn behind the pumpkins’ mischievous grins, and let the skeletons dance. For one thing is certain, The Misfits have returned and once again everyday is Halloween.The Misfits FreeBSD
    Cannibal Holocaust
    SuSE Linux
    Slackware Linux

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •