[12189] in bugtraq
BUG: Win NT TCP/IP Security filters does not get enforced
daemon@ATHENA.MIT.EDU (Stefan Norberg)
Sat Oct 9 14:10:54 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <000501bf11af$26dc8b40$0500000a@hermes>
Date: Fri, 8 Oct 1999 19:04:13 +0200
Reply-To: Stefan Norberg <stnor@SWEDEN.HP.COM>
From: Stefan Norberg <stnor@SWEDEN.HP.COM>
X-To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM, BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Regardless of settings in the TCP/IP Security filters any IP protocol is
accepted.
TCP/IP security configuration example:
Permit all TCP ports, Permit all UDP ports, Permit only IP protocols: 6
The easiest way to prove it's broken is to configure it to only allow
IP-protocol 6 (TCP) and then ping (ICMP) the host. ICMP being IP protocol 1
of course.
Another simple way to test this is to use Weld Pond's NT-port of Hobbit's
netcat (http://www.l0pht.com/~weld/netcat/ ) to set up a udp-listener on a
host that is supposed to block udp. Then use netcat on another host to send
it a nice message.
CLIENT:
C:\>nc -u server 5000
tcp/ip security is broken :)
SERVER:
C:\>nc -u -l -p 5000
tcp/ip security is broken :)
windump: listening on \Device\Packet_El90x1
18:49:06.731069 CLIENT.3533 > SERVER.5000: udp 29
Seems pretty broken to us...
Tested on NT4.0 SP5 (both w. no hotfixes and all hotfixes)
Regards,
Stefan Norberg (stnor@sweden.hp.com , http://people.hp.se/stnor)
Daryl Banttari (daryl@windsorcs.com)
