[15554] in bugtraq
Buggy ARP handling in Windoze
daemon@ATHENA.MIT.EDU (Paul Starzetz)
Thu Jun 29 14:46:50 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <395B7E64.9FB3D4DB@starzetz.de>
Date: Thu, 29 Jun 2000 18:50:44 +0200
Reply-To: Paul Starzetz <paul@STARZETZ.DE>
From: Paul Starzetz <paul@STARZETZ.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
I discovered a strange bug in the ARP handling under Windows 98/latest
Winsock patch (IGMP). Win98 (at almost Win95 as far as tested) would not
handle static ARP entries correctly. Setting up an static ARP cache
entry like:
c:\windows\arp.exe -s host_ip host_mac
do not immunise against spoofed ARP packet, if someone on the subnet is
playing with ARP and regardless the opcode an ARP packet with
arp_protocol_address == host_ip arrives, Windose will update the
'static' entry to the MAC whatever the ARP packet points to. So a
'static' entry means, the entry wouldn't be deleted and remains for
ever in the cache. This is not really the behaviour we want :-)
Note that Lunix will behave correctly (tested against 2.2.16 kernels),
so setting an static ARP for a host protects your box from ARP spoofing.
Of course, you may set up static ARP table and then run a firewall on
each machine to filter further ARP....
