From: Kevin Sheldrake (kev@electriccat.co.uk)
Date: Sat Aug 21 2004 - 05:23:23 EDT
I think there is a flaw in your argument.
*nix has had raw sockets for ever but hasn't had the same problem. Is
this because people don't code worms for linux (this must be at least
partially true) or is it because only privileged users can write to raw
sockets? Perhaps if the XP installation forced the creation of at least
one user account and spat out a large alert when someone logged on as
Administrator then the problem would be lessened? Of course, this would
also require MS to prevent normal users from writing to raw sockets.
For instance, my girlfriend uses Win2K on a laptop with a wifi card. In
order for her to start and stop the built-in IPSec client (required when
she switches between wired and wireless), she needs to be a power user of
some description. Fine, I'm the administrator so I gave her the
capabilities. Now she can let malware act as a power user when it runs -
brilliant. On linux, for example, I simply su to start and stop the IPSec
and run the rest of my session as a normal user. It's the simple concept
of least privilege...
Kev
> Does anybody else find it funny that when Microsoft produced OSes that
> didn't allow sending over raw sockets programmers screamed bloody murder
> about the restrictive nature of it (you can code that way in *nix, why
> not in Windows)? So MS decided to allow it. If I recall correctly,
> some of the InfoSec pundits at the time claimed this was a very
> frightening idea because the truly nasty address-spoofing code at the
> time only functioned in the *nix world due the Microsoft's 'oppressive'
> limitation on the TCP/IP stack. Well Microsoft gave the programmers
> what they wanted and for the last 2 or 3 years we've been dealing with
> the fallout of the world of 'point-and-click worms' that your
> above-average 15 year old on Jolt Cola in his mom's basement can compile
> and unleash on the world. Now IT departments the world over have been
> screaming bloody murder about this wildly insecure operating system and
> Microsoft, pressured by their corporate clients who are their bread and
> butter, said they'd work tirelessly to fix this and demonstrate their
> commitment to security.
>
> So now, Microsoft is back to saying, "No raw sockets" (amongst other
> things). I'm not saying that this is the only security hole in Windows.
> But I am saying that, in a way, we kind of asked for this... :) It's
> kind of a gun control thing. The raw sockets are not the problem, the
> exploits and the bad code are, but the raw sockets allow spoofing within
> Windows making the exploit that much easier to propagate with a lesser
> programming skill set (i.e. guns don't kill people, people kill people,
> but the gun makes it easier to do it than using a toaster). Microsoft
> has explicitly made the point that, in their research, raw sockets are
> being used for nefarious purposes more often than for noble ones. Right
> or wrong, it looks like we're going to have to write around it.
>
> Anybody want to venture a guess as to how many more times this pendulum
> is going to swing? :)
>
> Oh, and for the record, I haven't been forced onto SP2 yet. Hopefully,
> by the time that happens, someone will have quantified all the
> permutations and combinations of XP Service Packs, WinPCap distros and
> Ethereal distros that do and don't work together.
>
> Scott
>
> This opinion is my own and does not, necessarily, reflect the opinions
> of my employer.
>
> -----Original Message-----
> From: Gary everekyan [mailto:karo@onnik.com]
> Sent: Tuesday, August 17, 2004 12:42 PM
> To: 'Roman Fomichev'; 'Anjin'; pen-test@securityfocus.com
> Subject: RE: XPSP2 compatability
>
>
> Here is a little more detail.
> I have been successfully running ethereal version 0913a and winpcap 3.0
> under XPSP2.
> I have also upgraded and was successful in running ethereal version
> 0106
> and winpcap 3.1beta3 on XPSP2.
> HTH
>
>
> Regards,
> Gary Everekyan CISSP, CISM, MCSE, MCT
> Information Security and Audit
> "High achievement always takes place in the framework of high
> expectation" -
> Jack Kinder
>
>
> -----Original Message-----
> From: Roman Fomichev [mailto:from@e-solutions.lv]
> Sent: Tuesday, August 17, 2004 4:52 AM
> To: Anjin; pen-test@securityfocus.com
> Subject: Re: XPSP2 compatability
>
> I have been using ethereal for years. I have been using XPSP2 since rc1.
>
> No problems.
>
> On Mon, 16 Aug 2004 22:50:32 +0930, Anjin <wildcard@internode.on.net>
> wrote:
>
>> Following up on the item from James, it also seems that XPSP2 is
>> incompatible with WinPCAP. Both Snort and Ethereal fail with an
>> identical error when XPSP2 is installed. Removing the patch solves
>> the problem.
>>
>
>
>
>
>
>
> This message (including any attachments) contains confidential
> information intended for a specific individual and purpose, and is
> protected by law. If you are not the intended recipient, you should
> delete this message. Any disclosure, copying, or distribution of this
> message, or the taking of any action based on it, is strictly prohibited.
>
> ------------------------------------------------------------------------------
> Ethical Hacking at the InfoSec Institute. All of our class sizes are
> guaranteed to be 12 students or less to facilitate one-on-one interaction
> with one of our expert instructors. Check out our Advanced Hacking
> course,
> learn to write exploits and attack security infrastructure. Attend a
> course
> taught by an expert instructor with years of in-the-field pen testing
> experience in our state of the art hacking lab. Master the skills of an
> Ethical Hacker to better assess the security of your organization.
>
> http://www.securityfocus.com/sponsor/InfoSecInstitute_pen-test_040817
> -------------------------------------------------------------------------------
>
>
>
>
> --
> Incoming mail is certified Virus Free.
> Checked by AVG Anti-Virus (http://www.grisoft.com).
> Version: 7.0.262 / Virus Database: 264.6.4 - Release Date: 19/08/2004
>
-- Kevin Sheldrake MEng MIEE CEng CISSP Electric Cat (Bournemouth) Ltd -- Outgoing mail is certified Virus Free. Checked by AVG Anti-Virus (http://www.grisoft.com). Version: 7.0.262 / Virus Database: 264.6.4 - Release Date: 19/08/2004 ------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Check out our Advanced Hacking course, learn to write exploits and attack security infrastructure. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. http://www.securityfocus.com/sponsor/InfoSecInstitute_pen-test_040817 -------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:00 EDT