[17178] in bugtraq
Re: Buggy ARP handling in Windoze
daemon@ATHENA.MIT.EDU (Woch, Wojtek)
Thu Oct 12 14:57:35 2000
Message-Id: <Tc139504cf94f2cf44882@mime4.cpr.fr>
Date: Tue, 10 Oct 2000 20:03:41 +0200
Reply-To: wwoch@CPR.FR
From: "Woch, Wojtek" <wwoch@CPR.FR>
To: BUGTRAQ@SECURITYFOCUS.COM
Paul Starzetz wrote:
> I discovered a strange bug in the ARP handling under Windows 98/latest
> Winsock patch (IGMP). Win98 (at almost Win95 as far as tested) would not
> handle static ARP entries correctly. Setting up an static ARP cache
Testing on NT 4.0 with SP6a shows that it behaves the same, although
the spoofed machine complains in its event log with a Tcpip event #4199
and an application popup #26 (IP address conflict).
It appears also that as long as the IP address is in the ARP cache,
it's MAC address can be overwritten - even if the entry is flagged as
dynamic. But as Yuri Volobuev noted in his post "Redir games with ARP
and ICMP", you would need to inject ARP packets continously in this case.
cf http://www.securityfocus.com/templates/archive.pike?start=2000-10-08&list=1&end=2000-10-14&tid=7665&threads=0&
