[unisog] Correction: XP SP2 ports open to local subnet

David Wagner daw at taverner.cs.berkeley.edu
Thu Jun 10 03:43:18 GMT 2004

Phil Rodrigues  wrote:
>But since an exception for "File and Print Sharing" was enabled by 
>default, nmap showed that ports 137/udp, 138/udp, 139/tcp, and 445/tcp 
>were all open, even when the Firewall was turned on.
>Brian Eckman of the University of Minnesota brought to my attention the 
>fact that the XP SP2 exception only applies to the LOCAL SUBNET.

How does it tell whether the connection is from the same subnet?
Presumably by source IP address?  But the source IP address is easily
spoofable for udp ports.  This is making me wonder whether there may
be a risk of a remote exploit against 137/udp or 138/udp using forged
source IP addresses, despite the firewall and the attempt to restrict
access to the local subnet.  Does this sound right?  Can anyone shed
any more light on this?

More information about the unisog mailing list