XP SP2 Doesnt Supports RAW Sockets

Its really surprising to hear that win XP doesnt support raw sockets
!!!! Here is one mail I got.

===============================================
Fyodor mail:
"When an Nmap user asked MS why security tools such as Nmap
broke, MS responded [1]:

We have removed support for TCP sends over RAW sockets in
SP2. We surveyed applications and found the only apps using
this on XP were people writing attack tools."
===============================================

Well i dont understand how is that going to help microsoft ??? The attackers will run their tools from Linux !!!

One case where i see its usefulness is in the case of virus writers who used raw socket programming to perform DoS. But still that wont affect much. coz vxwrites can use process injection to inject IE and attack.

Seems this step of microsoft will still stop ppl from installing the sp2.

Moreover though the %age of developer using RAW sockets is very less but still there are many........apart from NMAP many other security audit tools will find their way out of Win XP??

aaah!!!!!!!!!! Only GOD or BILL Gates knows what M$ is upto??

peace

Quote:

---

Its really surprising to hear that win XP doesnt support raw sockets

---

Not really. RAW socket handling is incredibly insecure. People demanded Windows become more secure and thus they took a step forward to secure the TCP/IP && UDP protocols to and from XP SP2 machines

Quote:

---

Well i dont understand how is that going to help microsoft ??? The attackers will run their tools from Linux !!!

---

No they won't. Most virus writers and script kiddies are in windows because they know that OS better. They have to program for and test within an Windows OS enviroment. Microsoft isn't worried about Linux exploits, they are worried about Microsoft specific exploits. The removal of raw sockets will mean viri writer's ability to test locally on machines(even remotely) is now greatly limited even if they do switch to Linux. A virus written in a nix OS using raw sockets STILL won't work on an SP2 that denies raw sockets.

Quote:

---

One case where i see its usefulness is in the case of virus writers who used raw socket programming to perform DoS. But still that wont affect much. coz vxwrites can use process injection to inject IE and attack.

---

This is assuming they first run an exploit to penetrate the firewall (ICF version 2 in SP2 helps prevent that), and then exploit the machine to gain process administrative privileges (kernel/process memory protection offered by SP2), and then inject an attack via IE (Which is being fixed as we speak, and MS already stated that they want people to use browsers other than IE)

Quote:

---

Seems this step of microsoft will still stop ppl from installing the sp2.

---

Why? The amount of people who are geeks compared to who simply use windows is amazing. Most likley a 1:10 ratio. Those hundreds of thousands of people who just use computers on a minor basis (Rather than 31337ism) won't care about raw socket disability, and thus the mass majority of Windows uers won't be stopped.

Quote:

---

Moreover though the %age of developer using RAW sockets is very less but still there are many........apart from NMAP many other security audit tools will find their way out of Win XP??

---

Oh well? So recode nmap to not use raw sockets. Hell, PLENTY of port scanners won't use RAW sockets on windows merely because it makes the product itself exploitable.

Quote:

---

Originally posted here by pooh sun tzu
Why? The amount of people who are geeks compared to who simply use windows is amazing. Most likley a 1:10 ratio. Those hundreds of thousands of people who just use computers on a minor basis (Rather than 31337ism) won't care about raw socket disability, and thus the mass majority of Windows uers won't be stopped.

---

I'd be willing to bet that a large majority of those people don't even update their Windows. Ever.

This is why, despite MS patches, worms are still spreading like wildfire.

Quote:

---

I'd be willing to bet that a large majority of those people don't even update their Windows. Ever.

---

For those of you who have installed SP2, then you understand how HUGE of an impact it has upon notifying users of the importance of Automagic updates, even on the first reboot with SP2. That problem has been solved. Not completely, but ... well. try SP2 and see what I mean.

I will as soon as they have it up on the update site. I've been checking off and on for the past couple of days.

Quote:

---

Originally posted here by NullDevice
Its really surprising to hear that win XP doesnt support raw sockets

---

Not really when you consider Win9x didn't, and XP Home was the first home use version of Windows to support raw sockets.

Quote:

---

Seems this step of microsoft will still stop ppl from installing the sp2.

Moreover though the %age of developer using RAW sockets is very less but still there are many........apart from NMAP many other security audit tools will find their way out of Win XP??

---

Not really, given that you can just install third party libraries to get the same functionality. Even if MS tries to actively block raw socket use, I'm certain there will be workarounds.

Quote:

---

Originally posted here by pooh sun tzu
Not really. RAW socket handling is incredibly insecure.

---

Please elaborate. Which type of security are you referring to? Application security of applications that utilize raw sockets, host OS security, or some other meaning?

Quote:

---

Oh well? So recode nmap to not use raw sockets. Hell, PLENTY of port scanners won't use RAW sockets on windows merely because it makes the product itself exploitable.

---

It's simpler than that. It just means dropping in a third party library like WinPcap.

Quote:

---

Originally posted here by pooh sun tzu
For those of you who have installed SP2, then you understand how HUGE of an impact it has upon notifying users of the importance of Automagic updates, even on the first reboot with SP2. That problem has been solved. Not completely, but ... well. try SP2 and see what I mean.

---

The problem is, if these people that MJK refers to don't update their software, chances are they won't be benefiting from the new features in SP2, meaning they won't get nagged. :D

Quote:

---

Please elaborate. Which type of security are you referring to? Application security of applications that utilize raw sockets, host OS security, or some other meaning?

---

I mean moreso on applications that have outbound and inbound handling for raw sockets. (please, if I'm misunderstanding how they work, correct me) By allowing raw handling outbound it does allow for more refined packet reading (AFAIK), but this also would mean inbound forgery packets could exploit that RAW check within the program. Of course I've never done an indepth study on raw packets, but from what I understand their ability to see things raw is also a caveeat torwards their own security?

Quote:

---

It's simpler than that. It just means dropping in a third party library like WinPcap.

---

Not sure what you mean. Wasn't winPcap a requirement for raw packet handling anyways?

does this mean mr gibson (of grc.com fame) will be getting his jollies at last.. he has been claiming how bad they are for a couple or three years..

As for good or bad.. Why would a home user NEED open raw sockets? for that matter most business applications.. certainly on the malware side of things.. i am not aware of anything that exploits this in xp.. but then I need to get my head out of a certain orifice and read some more info..

cheers

I always thought the whole point behind the raw sockets was to facilitate the development of new networking protocols. Do users benefit from this? I guess not but it think it will make life a bit more difficult for developers of network protocols.

Anyways, of all the viruses I've seen on windows I have never seen one that uses the raw sockets. And *nix has had raw sockets from day 1 I believe and AFAIK this hasn't been abused much.

Quote:

---

I mean moreso on applications that have outbound and inbound handling for raw sockets. (please, if I'm misunderstanding how they work, correct me) By allowing raw handling outbound it does allow for more refined packet reading (AFAIK), but this also would mean inbound forgery packets could exploit that RAW check within the program.

---

You're confusing application security with OS security. If that program has a flaw in it's handling of raw sockets it's the programs fault not the OS. If you install an insecure program on the most secure OS (pick one you like) in the world it would make that machine vulnerable no matter how secure that OS is.

Raw sockets support must be removed (and was) just because of this: any application, in user mode, can write raw packets. Its is UNACCEPTABLE. Its totally against any network project
After that removal, you can write an application to write raw packets, but:
a) you must be in kernel mode and direct access to hardware
b) you install a library that do so

On *nix, you cant write raw packet at your will. You need to have priviledges to do that.
Problem on Windows is MS removed that priviledge need when turn available "raw packet" support. Now MS fixed it. Thanks God.

Im suprised that some ppl here NEVER give a greenie to MS, even when MS recognise its problems and fix it.

Why not add the appropriate privileges? Shouldn't be that hard to implement. Just make it so only an admin is able to use raw sockets?

The reason I never give MS a greenie is because of the way they "deal" with security. "We don't know how to fix it so we'll rip it all out.". Heck, if they started thinking like that Explorer would be the next thing that gets ripped out ;)

Quote:

---

Just make it so only an admin is able to use raw sockets?

---

Because everyone runs windows in their Guest account :P

Quote:

---

The reason I never give MS a greenie is because of the way they "deal" with security. "We don't know how to fix it so we'll rip it all out.". Heck, if they started thinking like that Explorer would be the next thing that gets ripped out

---

Wait, so MS doesn't have good security, people complain that windows isn't secure. MS attempts to secure things, people complain about how late they secure it. MS secures it and then people complain about how it was secured, even though it ended up being secure.

What in the hell? Make up your minds, do you want security or not? Then let MS do security their way. Microsoft has to learn about the world of security through trial and error, just like Linux has to learn about desktop latency and usability through trial and error. But don't grind either one into the ground just because you don't agree with their learning process. Security is the final result, and the origonal complaint.

Quote:

---

Because everyone runs windows in their Guest account :P

---

I do believe you mean administrators account.

Learning process? They're not really learning as far as I can tell. If they really learned why fall for the same problems *nix has dealt with years ago?

Quote:

---

why fall for the same problems *nix has dealt with years ago?

---

Do people conveniently ignore or choose to forget one fact...how much OLDER the *nix platform is compared to the Windows platform. Correct me if I'm wrong, but *nix has roughly 10 years on Windows. So, duh...of course they've figured some things out already, they had a decade to do so. Don't forget that even with being older, we are still finding problems to this day in *nix. Some of which have been there, some of which were created when new features were added, but they're there.

Anyway, my .02 have now been deposited.

Users cannot(normally) create raw sockets. What does happen is the admin installas winpcap or another 3rd party driver (which runs as a service) once its installed, users an access the service unless the admin changes it.

http://grc.com/dos/sockettome2.htm


-Maestr0

yes, *nix had handle the problem years go. how?

only PRIVILEDGED process can write raw packets.
Try to to that on user mode on *nix.

Yes of course. Why an user mode application needs a raw packet? why not use O.S. services?
i cant see a reason to do that. Its same reason why user mode applications cant access any hardware resource. Its a SECURITY issue

So MS made a mistake in the past (turn raw in user mode on) and not it turn off againt.

Ok, if you install a library (that run in priviledged mode) and gain access to raw packets, its your choice. A regular user CANT install such program in Windows.

"Oh, i was running as Admin and a trojan installed a libcap on My Windows. Windows security is a crap"

Die slowly, man

EDIT

Its not a reply for your Post, Sirdice. You are correct at your post.

/EDIT

So what other apps besides Nmap does this break? Guess I should test Cain and Languard and see if they still work.

Just a summary of some corrections:
- Raw socket use is NOT restricted to any users in XP Home, which was the crux of Gibson's argument against its inclusion. XP Home lacks the business security models of Pro.
- Every current MSDN document on developing with ICMP says the preferred method of accessing ICMP packets is via the raw sockets implementation.
- Raw sockets are not new to Windows. Windows 2000 had them, and I believe Windows NT4 > SP3 had them. Arguments pertaining to the newness of the idea are moot.
- *nix is used to refer to true genetic Unixes (HP-UX, Solaris, etc), BSDs (Also genetic unixes, without the unix name), and Linux. This represents multiple different code bases that have split or been independantly developed over quite a large timeframe. Please do not be this vague. Unix is far older than 10 years.
- Raw sockets can be reimplemented at any time utilizing a third party library like WinPcap (which on XP Home can be run by anyone).
- Perhaps the most dangerous functionality of raw sockets is source IP spoofing. This could have been fixed with egress filtering in XP's firewall. The approach is to rather destroy the mold for the tool makers than shore up the doors so they can't get out.

Quote:

---

I do believe you mean administrators account.

---

No, I didn't. I meant guest account in a sarcastic sense.

Quote:

---

Learning process? They're not really learning as far as I can tell. If they really learned why fall for the same problems *nix has dealt with years ago?

---

So you are telling me that even though thousands of generations of humans who have come before you in life made mistakes and learned from them, you won't ever ever ever make a single mistake they ever made? You will research the life of each and ever person to learn from their mistakes, so you won't -ever- have to repeat it?

Please, when you do so let me know, otherwise you will still repeat the mistakes that people have made in the past, be it forgetting where you placed your keys or having a spelling typo.

Something failing once != it will always fail

Quote:

---

[i] Originally posted
- Perhaps the most dangerous functionality of raw sockets is source IP spoofing. This could have been fixed with egress filtering in XP's firewall. The approach is to rather destroy the mold for the tool makers than shore up the doors so they can't get out. [/B]

---

Does this mean that he actually had a point to his raving?! I remember reading some years ago about wicked attacking his site. I know he used that, the attack, to hype the use of raw sockets that at the time were going to be used in XP. I cannot however, still get over the issue that i feel that he is somewhat of a doomsday prophet?! I do believe that in this time no real dDoS has been done using windows (especially Home version) with raw socket support, in fact if memory serves in NT there was a registry setting for swicthing on limited Raw Socket support....... Or at least exploited to the extent that he had hyped it.

Did they not include it perhaps, because they are using the BSD IP Stack wholesale?! Perhaps someone more knowledgable, Like Pooh, will be able to help?! Raw sockets, perhaps for coders and the like would open up windows and make it more flexible so one could code applications with raw socket support built in?! I believe that once Winsock API became DCOM, they needed i believe to say that they also had they ability to do what some other OSes, Like Oracle could already do .......... If incorrect, please feel free to rectify this misnoma ......

Quote:

---

Originally posted here by S1lv3rW3bSurf3r
Does this mean that he actually had a point to his raving?! I remember reading some years ago about wicked attacking his site. I know he used that, the attack, to hype the use of raw sockets that at the time were going to be used in XP.

---

Not really, his point is invalid simply because raw socket access can be easily provided by third party libraries, which were in fact used by trojans predating the GRC DDoS thing.

Quote:

---

I cannot however, still get over the issue that i feel that he is somewhat of a doomsday prophet?! I do believe that in this time no real dDoS has been done using windows (especially Home version) with raw socket support, in fact if memory serves in NT there was a registry setting for swicthing on limited Raw Socket support....... Or at least exploited to the extent that he had hyped it.

---

Not at all, what he was saying had the POTENTIAL of being a severe problem. The fact is, very few DDoS trojan developers have put it into use.

Quote:

---

Did they not include it perhaps, because they are using the BSD IP Stack wholesale?! Perhaps someone more knowledgable, Like Pooh, will be able to help?! Raw sockets, perhaps for coders and the like would open up windows and make it more flexible so one could code applications with raw socket support built in?! I believe that once Winsock API became DCOM, they needed i believe to say that they also had they ability to do what some other OSes, Like Oracle could already do .......... If incorrect, please feel free to rectify this misnoma ......

---

Oracle is not an operating system, it is a company that develops software (primarily database servers) which runs on many different architectures and operating systems.
There was nothing preventing developers from using raw sockets before. It is not a matter of OS flexibility, it basically involves using a third party library to do the job instead of windows. The actual implementation is much the same in both cases.
Their reasoning for taking it out of XP SP2 was based somehow on improving security.
If I remember correctly, part of their reasoning behind implementing it was indeed to bring Windows' native networking capabilities up to that of Unixes and such, which ALL have raw socket access for privileged users.

Thank you for your response ... it is duly noted .... :D

I appreciate the manner in which enrichment is imparted ......

Quote:

---

- Every current MSDN document on developing with ICMP says the preferred method of accessing ICMP packets is via the raw sockets implementation.

---

Note that only TCP sends via raw sockets are disabled in SP2. Raw sockets can still be used to access ICMP packets since ICMP is built on UDP.

Cheers,
cgkanchi