PDA

View Full Version : Microsoft Security flaws and fixes

peakaboo
May 23rd, 2003, 11:55 PM
Flaw:

ICMP Router Discovery Protocol (IRDP) comes enabled by default on DHCP clients that are running Microsoft Windows95 (w/winsock2), Windows95b, Windows98, Windows98se, and Windows2000 machines.

ZDNET article here (http://zdnet.com.com/2100-11-515408.html?legacy=zdnn) Headline excerpt: Hackers may be snooping on you

Article Excerpt: Companies and users of broadband modems beware: Malicious hackers may be "listening" in on your computer's conversation across the Internet.

Full Detail Advisory: IRDP Default Route Assignment (http://www.atstake.com/research/advisories/1999/rdp.txt)

Excerpt: By spoofing IRDP Router Advertisements, an attacker can remotely add default route entries on a remote system.

Fix for above flaw (FYI I have not tried it yet):

DHCP fix provided by Analogx (http://www.analogx.com/contents/download/system/dhcpfix.htm)

Also see Full Detail Advisory there are 2 suggested fixes there (or view next post). The registry key fix is probably what is being done by Analogx fix.

I ran across the DHCP fix at Analogx and followed the links to the Advisory to get more info.

Conclusion: If you own one of the above mentioned OS and are using broadband modem, you may want to look further into this flaw.
peakaboo
May 24th, 2003, 11:00 AM
-{ Quote: " quoting: peakaboo link=board=18;threadid=9572;start=0#msg62716 date=1053748543]

ZDNET article here (http://zdnet.com.com/2100-11-515408.html?legacy=zdnn) Headline excerpt: Hackers may be snooping on you

Article Excerpt: Companies and users of broadband modems beware: Malicious hackers may be "listening" in on your computer's conversation across the Internet.

Full Detail Advisory: IRDP Default Route Assignment (http://www.atstake.com/research/advisories/1999/rdp.txt)

Fix for above flaw (FYI I have not tried it yet):

DHCP fix provided by Analogx (http://www.analogx.com/contents/download/system/dhcpfix.htm)

Also see Advisory there are 2 suggested fixes there. The registry key fix is probably what is being done by Analogx fix.

I ran across the DHCP fix at Analogx and followed the links to the Advisory to get more info.

Conclusion: If you own one of the above mentioned OS and are using broadband modem, you may want to look further into this flaw.


" }-

I find it hilarious that in the above ZDnet article where they warn of snooping, that the article has an iframe doubleclick ad/tracking link (located to the right of "A slight detour for Data". :o

Also wanted to include the 08.11.99 atstake summary advisory (http://www.atstake.com/research/advisories/1999/index.html) which will lead you to the detail advisory in the above post, but also provides a Demonstration of sample code.

Finally wanted to add the fixes from the full details advisory noted in the 1st post:

Fixes / Work-arounds
------------------------

Firewall / Routers:
***Block all ICMP Type 9 & Type 10 packets. This should protect
***against remote Denial of Service attacks.

Windows95/98:
***
***The Microsoft Knowledge Base contains an article that gives info
***on how to disable IRDP. It can be found at:

***http://support.microsoft.com/support/kb/articles/q216/1/41.asp
***
*Brief Summary of article:

***IRDP can be disabled manually by adding "PerformRouterDiscovery"
***value name and setting it to a dword value of 0, under the
***following registry key(s):

HKLM\System\CurrentControlSet\Services\Class\NetTrans\####

Where #### is the binding for TCP/IP. More than one TCP/IP
***binding may exist.

Solaris:
***
***Configure your host to obtain a default gateway through DHCP,
***static routes, or via the /etc/defaultrouter file. For more
***information on IRDP refer to in.rdisc's man-page.