[ISN] Hunt for XP SP2 flaws seen in full swing

InfoSec News isn at c4i.org
Mon Aug 16 04:26:55 EDT 2004

Forwarded from: security curmudgeon <jericho at attrition.org>

: http://www.nwfusion.com/news/2004/0813huntforx.html
: By Joris Evers
: IDG News Service
: 08/13/04
: While users are testing Service Pack 2 for Windows XP to prevent
: compatibility problems, hackers are picking apart the security-focused
: software update looking for vulnerabilities, security experts said.
: "We will see new vulnerabilities discovered in SP2 over the next few
: weeks. Give it a month or two and we will also see worms that affect
: SP2," said Thor Larholm, senior security researcher at PivX Solutions
: LLC, a security services company in Newport Beach, Calif.

As usual with Windows Service Packs, the first week or two is spent
figuring out what features have changed or broken significantly. While
most of the griping is about functionality breaking that was made
public well in advance, a few other changes crept in that are of
interest to the security world. (read below)

: "A lot of the current attack vectors are blocked by SP2," Larholm said.
: "Folks are now trying to find new ways to plant code on a system. A lot
: of these new ways will use e-mail, instant messaging and Web traffic -
: any kind of traffic that a PC requests from the outside world - because
: that will go through the firewall without restrictions."

Fortunately, all the MSIE exploits will still do nicely =)


------Original Message-----
From: Fyodor [mailto:fyodor at insecure.org]
Sent: Wednesday, August 11, 2004 3:31 PM
To: nmap-hackers at insecure.org
Subject: Windows XP SP2 incompatible with Nmap

This is just a heads-up that most Nmap functionality will not work on
the just-released Microsoft Windows SP2.  Why?  Microsoft apparently
broke it on purpose!  When an Nmap user asked MS why security tools
such as Nmap broke, MS responded[1]:

  "We have removed support for TCP sends over RAW sockets in SP2.
   We surveyed applications and found the only apps using this on XP were
   people writing attack tools."

I don't know why they consider Nmap an "attack tool", particularly
when they recommend it on some of their own pages[2].  Shrug. Removing
SP2 re-enables the functionality and causes Nmap to work again.  Many
problems unrelated to Nmap have been found with SP2 as well[3], though
it does some welcome security improvements for people stuck on that

I will work on this if I get time, but am currently busy rewriting the
core port scanning engine for the next version of Nmap.  It is much
faster, offers much better multiple-host parallelization, and provides
other long-desired features such as completion time estimates.  If
someone finds a solution to this SP2 problem, please send a patch.  
It may not be too hard, as Nmap supports operating systems such as
Win95 that didn't have raw socket support in the first place.


[1] http://seclists.org/lists/nmap-dev/2004/Apr-Jun/0077.html
[2] http://www.microsoft.com/serviceproviders/security/tools.asp
[3] http://www.crn.com/sections/breakingnews/breakingnews.jhtml?articleId=23905071


 The TCPIP.SYS modifications in XP SP2 have also limited the number of
 concurrent half-open TCP connections to -10-. Yeah. That means you can't
 try to connect to more than ten things at once unless one of them

 This breaks most vulnerability scanning, p2p networking, and many game
 networks, but I think they were aiming to keep worms from spreading.

 There appears to be no registry key to change this setting.

 There is a 3rd party patch available for this:
 http://www.lvllord.de/ (site not resolving now)

More information about the ISN mailing list