[unisog] MS alg.exe listening on tcp

Valdis.Kletnieks@vt.edu Valdis.Kletnieks at vt.edu
Mon Apr 10 03:54:35 GMT 2006


On Mon, 10 Apr 2006 09:45:08 +1000, Bradley Ellis said:
>
> E.g.: the NTP port in use by the Windows time service - would be
> accessible from the local machine - but not the network.

>   Proto  Local Address          Foreign Address        State           PID
>   UDP    127.0.0.1:123          *:*                                    1212

This requires some additional checking.  I've come across more than one
TCP stack that *would* accept a packet from an external interface, if it
showed up with the destination machine's own MAC address and a destination
address of 127.0.0.1 - as a result, it's possible for another machine on the
subnet to craft a packet that would be accepted.  If there's any boxes on
that subnet that will accept and forward a source-routed packet, the attack
is even possible from off-subnet.

(Hint - how many times have we seen 'land' attacks?)

It's not that big a deal for port 123 - but it could be interesting for
other UDP ports bound to 127.0.0.1.  For TCP, about all you can do is
set source and dest both to 127.0.0.1 and set the ports for a LAND attack,
unless you're *really* good at predicting ISN's ;)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20060409/d4df0011/attachment.bin


More information about the unisog mailing list