[unisog] Correction: XP SP2 ports open to local subnet

Gary Flynn flynngn at jmu.edu
Thu Jun 10 10:18:28 GMT 2004

David Wagner wrote:

>How does it tell whether the connection is from the same subnet?
>Presumably by source IP address?  But the source IP address is easily
>spoofable for udp ports.  This is making me wonder whether there may
>be a risk of a remote exploit against 137/udp or 138/udp using forged
>source IP addresses, despite the firewall and the attempt to restrict
>access to the local subnet.  Does this sound right?  Can anyone shed
>any more light on this?
Possible if:

1) There is a vulnerability (defect, susceptibility to traffic flood, 
information disclosure,
     misconfiguration, etc) in  the service listening on those ports and
2) Anti-spoofing filters in the network don't prevent packets from 
outside the subnet
     with a source address of the subnet from entering the network.

More information about the unisog mailing list