Slashdot Mirror
Flaw Found iIn Ethernet Device Drivers
Licensed2Hack writes "Security researchers have discovered a serious vulnerability that may be present in many Ethernet device drivers that is causing the devices to broadcast sensitive information over networks.
Seems the device driver writers couldn't be bothered with a memset() call. Eweek has their typical (puffy, low on tech details) take on it here.
Since they don't specify the OS, I'm assuming these are drivers for Windows." It's actually Linux, *BSD, and Windows.
At least it didn't foil my first post.
the flaws are in linux drivers too. Who knows, you might even want to read the article.
...."iln" story title
From the article (in case you haven't read it):
"The Linux, NetBSD and Microsoft Windows operating systems are known to have vulnerable link layer implementations, and it is extremely likely that other operating systems are also affected."
Straight from the article
OK, it's slashdot, so we expect people to post comments without reading the article, but it's a little ridiculous that the submitter didn't even bother.
Anonymous Coward writes "English speakers have discovered a serious flaw that may be present in many Slashdot editors that is causing the devices to broadcast poor journalism over networks. Seems the editors couldn't be bothered with a Spellcheck call. Slashdot trolls have their typical (puffy, low on tech details) take on it here. Since a fault was found, Slashdot is assuming the problem is with Windows."
One wonders whether it would be possible to build a fix into the operating system, or would that be too great an abstraction?
You can find the CERT's take on this here:
http://www.kb.cert.org/vuls/id/412115.
Lots of applications have the same fault, e.g. Microsoft Access doesn't appear to memset so you get what ever happens to be kicking around in memory written to emptyness in the database.
Also Access doesn't clean out deleted data.
thank God the internet isn't a human right.
The Cert advisory says that MS doesn't ship any drivers with this vulnerability. This is a lot different from saying that MS systems are completely uneffected. We're going to have all double check against the actual driver being used by the system (when this list is complete of course) to find out if we are particularly affected by this.
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
If this bugs you, just make a change to the link layer drivers. Pad with nuls again, like it is supposed to, rather than garbage data. The downside to this is there will be a speed hit, since you are wasting time fscking with small packets to make sure they are secured. But, given the speed of modern systems vs the speed of ethernet, I highly doubt you'll notice.
Honestly, the big problem here is going to be MS. I doubt they'll introduce a fix at all.
It could be enough for someone to snag the SSH private keys for a connection.
Of course, since you have to read ethernet packets, they'd either be listening to traffic on a VPN, or they'd be on their target's LAN.
More reasons to be afraid of your company's BOFH.
What's this Submit thingy do?
@stake's advisory release:0 10603-1.txt
t stake_etherleak_report.pdf
http://www.atstake.com/research/advisories/2003/a
And their etherleak report PDF:
http://www.atstake.com/research/advisories/2003/a
Oh my God, they were right all along ;)
here is a bugtraq thread from a year ago, describing a similar sounding problem...
ex$$
Just tested this with Ethereal on W2K.
The command 'ping -n 10 -l 1472 ' sends a packet that's padded with 'abcd...uvwabcd...uvwabcd'.
The echo reply is padded with the same characters, apparently just pulled from the request and stuck in the reply. So far I've tried pinging W2K, HPUX, a Cisco router, and a Debian box. All return the contents of the initial request as padding.
Is there more to replicating this than they let on? Or are they just full of poop?
or Cisco or every other router/switch vendor...
Now OpenBSD will have to change their tagline, again.
Only one remote hole in the default install, in more than 7 years! Oh yeah, and 1 hole embedded in the Ethernet dri...
"Shit. We ran out of space on the CD cover."
Talisman
Wanna get pissed?
"Study your math, kids. Key to the universe." -The Archangel Gabriel
Why is this "devastating"? People can sniff ethernet networks anyway? People don't rely solely on a switch for your network security, right?? (Who am I kidding? Of course someone does. Sigh.)
Funny, I am careful about checking my facts, and I am assuming that only 5 people will read my post. I would hope I would put a LITTLE more effort into my fact checking tho if I thought it was going to get 1,000,000 hits.
Since the poster and the editors don't check their facts, I am assuming they don't.
Slashdot is the first site I hit for tech info. And typically, while exagerrated, the attacks on MS have basis at least.
But an ASSUMPTION like above about "Well, there's a problem, it must be Windows!" just makes my ears perk up immediately and want to check the facts. Why doesn't it for the Slashdot editors?
WHY would you assume that? Just from the blurb the poster included it immediately seems the kind of oversight that would have the POTENTIAL at least to affect multiple systems.
And yes, I realize that Windows drivers written by third-parties have been targetted, I find it amazingly amusing the native Windows drivers have been determined not to have this issue
---"What did I say that sounded like 'Tell me about your day?'"---
There actual advisory from @stake that the article quotes can be found here - it's got a few more technical details and code fragments from the Linux kernel, but there's not really much else to say.
It also shows sample frame captures illustrating leakage of HTTP traffic.
Meep meep
At least it isn't a dupe...
Error:
The article submitters now can't be bothered to read the articles? You know, the bit in the article where it says "The Linux, NetBSD and Microsoft Windows operating systems are known to have vulnerable link layer implementations, and it is extremely likely that other operating systems are also affected."!?
Back to more important issues, like the actual content of the article ... I'm reading linux/net right now, anyone have any definite answers, and could point me to (say) source for where we do do this?
...of what Microsoft actually had to say on the topic and bet your butt that some card manufacturers based their drivers on the flawed examples. In short, as usual, many Windows systems are vulnerable and Microsoft are duckshovelling again, or should I say `as always'? Dollars to doughnuts Windows does this on other layers as well. Still, not as bad as dear old RSTS, where reading the NL: (null) device got you whatever entire disk block was last read by anyone on the system, and the password file was read often.
Got time? Spend some of it coding or testing
Great. I don't mean to sound like a troll, but @stake is really stretching for publicity here. 46 bytes? Do you realize how small the padding is? Yes, it's enough for a password, but keep in mind, that padding being sent out is transmitted from OLD FRAMES. These items have been transmitted before. Guess what kids? If you observe secure computing practices, such as using a encrypted login method (ssh comes to mind) and you mind your standard p's and q's, this problem should never be a PROBLEM. I am sorry, but as a professional that researches this stuff, I have to rate this vulnerability as a "really really low" and keep plugging on. In a perfect world, we would grab from urandom/random/null but this isn't a perfect world. Lets focus on remote root compromises, remote "system/admin" compromises, and lets also focus on getting IIS away from the industry. These are the REAL problems. Someone wake me up when @stake has a real advisory to give, something excellent that we are used to seeing from them, besides this trivial fluff they are going to over-hype.
/. but this will be the same position I give the Fortune 500 company I work for. /me wonders if my VP will mod me "troll" or "flamebait" =P
Mod me however you want, I'm a coward to
...where do you want your data to go today? Oops, sorry! (-:
Got time? Spend some of it coding or testing
RFC1042 says "When necessary, the data field should be padded (with octets of zero)to meet the IEEE 802 minimum frame size requirements."
RFC 2119 says "3. SHOULD This word, or the adjective "RECOMMENDED", mean that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course."
(8-DCS)
I am not a security expert. In fact, my knowledge comes from Slashdot. So God help me. But is this vulnerability really useful to a hacker? If I understand it, because padding is not properly implemented, the hacker MAY receive some random data at the end of the 48 byte data. I realize there are people who have the patience to tape together shredded documents so they can read them, but in this case the hacker cannot ensure that the random pieces of data that he will receive even belong to a single "document." So my question, is this a theorectical vulnerability that would be extremely difficult to use, or is it demonstratable that a hacker could easily obtain useful information?
...`fix' your machine into the deck at terminal velocity. Trustworthy Computing at its best!
Got time? Spend some of it coding or testing
I am sure someone will rush to correct me if I am wrong about this.
In Murphy We Turst
Just a guess...
Got time? Spend some of it coding or testing
What makes you think this topic was an accident? I have a hunch that the /. editors posted this as an anti-microsoft blurb on purpose. With that in mind they didn't need to read the stinking article.
If you look at recent "environmental" "news" they've put up on here they've done the same sort of thing: did not read the target article or totally disregarded it and added their own political opinion.
Hemos has an anti-Microsoft axe to grind. Not that I blame him there but I think he's a wee bit too eager.
. Quit playing Monopoly with Bill. Switch to one of many non-Microsoft products today.
Perhaps, since the site only speaks English, they meant to say `i1n'?
Got time? Spend some of it coding or testing
Cisco's Status/Statement
and
Full CERT Advisory
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Great, first we had users who posted replies without reading the articles.
Then we had editors who posted articles without checking if they had already been posted.
Now we have users who submit articles that are neither read by the user nor the editor before being posted.
What's next? The person who writes the article doesn't read it before a user sees the link, submits it for an editor to post twice in the same day?
I'm a writer, a poet, a genius, I know it. I don't buy software, I grow it.
Consider the length of time this so-called vulnerability has lurked in the device driver code for all those operating systems, than ask why no one discovered the problem sooner. Could it be that there's nothing to be worried about?
I'm guessing this problem has gone undetected so long because uber-short frames don't naturally occur on most Ethernet installations. Networks typically send real data, not empty frames, that's why we build them in the first place. You have to intentionally generate super-small frames if you want to see them. All the examples @Stake provides are based on ICMP Echo/Echo Replies, where you can specify the packet length at the command line. Show me some real network traffic that exhibits this problem, than I'll start to worry.
Still not convinced? Well, consider that you can't exploit the issue beyond even a single router, and that the vulnerability in most cases is just rehashed data, stuff that's already gone out on the wire. How big a security issue is that? Seems like the least of my problems. I'd worry more about one un-patched system on the network or one stupid marketroid opening a TELNET secession to the web server than I'd worry about this.
I'm going to go out on a limb here and declare this a non-issue. I'm sure the guys over at @Stake are happy to have something to show their bosses (and the media) so soon after the holidays, but it just doesn't look very serious from where I'm sitting.
Sorry I'm being vague, but a person who is competent at socket programming will _probably_ know what I'm talking about. So I'm curious, is this the same problem we read about here that I encountered, or is it just a misunderstanding of mine into the details of socket programming? I'd love to understand.
Thanks
This is getting pretty old.
I can deal with unprofessionalism on Slashdot (dupes, unverified sources), since it's really not a professional journalistic news source and has never claimed to be. I can deal with bias against Microsoft, the U.S. government, corporations, Red Hat, Church of Scientology, etc. because no one ever said the editors were being objective. I can deal with regurgitated Register posts and the constant WSJ (free registration required!) posts.
What I can't deal with are article submissions being approved when the submitter doesn't read the article they are submitting *and* making unfounded biased FUDish comments about it. The editors not reading the article and commenting on it in the blurb is bad enough.
It's embarassing to ever point anyone else to Slashdot and it's very hard to take it even the slightest bit seriously.
The firm I was workign for at the time noticed this 6 years ago on AIX.
We informed CERT/IBM - nothing happened.
NOW it it makes all the headlines.
what impact does it have - none, unless the stuff in the PADing area contains the unencrypted data that was originally send encryped. Or am I missing something like I normally do?
>> Since they don't specify the OS, I'm assuming these are drivers for Windows.
Whenever I read "memset", I think aloud "unix".
Windows programmers talk about ZeroMemory and FillMemory, not memset. In drivers, that would be RtlZeroMemory and RtlFillMemory.
memset exists for compatibility, but it's just a wrapper around FillMemory.
Secondly, for security reasons, Windows ensures that no app will ever find remnants of another app's data in its memory space (all allocated memory is erased before is't given to the requester), which significantly reduces the risk that sensitive data would be transmitted.
Normally, if the app passes it less than 46 bytes of data, the driver would have to copy it to its own buffer space at the lowest execution level to avoid hitting addresses that aren't mapped to physical memory later (would cause a BSOD if it happened above dispatch level).
If that buffer is allocated dynamically it would be empty, if it's static it would contain some part of the previous packet - not so much risk of finding sensitive data there, since it's just repeating something that has already been on the network.
BTW, the CERT advisory contains a long list of checked systems. There are only six names where it says "Not Vulnerable", and one of those six is Microsoft, so heck yeah, please keep feeling safe because *n*x is so damn secure by defi^H^H^H^H religion.
Yes there is. It's called "administrator".
Best Slashdot Co
this is uninformed spouting of the mouth.
you mean his post, or yours?
Block IMCP if you don't need it
Ahem; if you run TCP/IP, you always need it.
ICMP is used for control messages between systems - it's used for control messages (the 'C' and 'M' in ICMP) for TCP and UDP packets.
Without ICMP, your connections can take longer, or (in some cases) not work at all. All modern OSes support path MTU discovery - and PMTU discovery relies on ICMP messages. If you block these messages, your clients will be unable to reach sites if part of your path to them has a smaller MTU than the MTU of your local interface.
You may know a lot about SSH, but you don't know squat about TCP/IP. ICMP is used for more than just 'ping'.
If you don't know why by now, you haven't been paying attention.
TWW
"Encyclopedia" is to "Wikipedia" what "Library" is to "Some people at a bus stop"
stdout might not be writable
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Unfortunately, MS' website doesn't seem to say much about what WHQL actually does. Further investigation on that website seems to reveal that the signature only means that a driver is "compatible" with a Windows release, and that not installing unsigned drivers "may prevent problems such as ... system instability". So, in the end, signed drivers are compatible with Windows and should be more stable than the unsigned. Oh, and that this copy is unmodified from the copy WHQL got. It seems Microsoft doesn't read too much into what its signing policy means for driver quality beyond "does it install, and will it crash?" ...
Microsoft hasn't exactly been in the business of certifying that stuff is secure. It's just like your car dealer selling you a car with an alarm system, automatic locks, etc, but saying "You might still get robbed."
Now, personally, I don't think Microsoft should be held responsible if they certify a driver as stable on their system and it turns out to have vulnerabilities. Furthermore, I don't think Microsoft should be held responsible for their architecture lacking certain secure characteristics.
HOWEVER
The dialog that displays when you install a driver leads the user to believe that the driver being installed is both stable and secure (I don't recall the exact wording, since it's been so long since I've used Windows). Furthermore, the dialog for ActiveX installation does the same thing AND tells you that if "an Authority" hasn't certified the control, then it may compromise your system. Furthermore, it says something about if you install a control that's not safe for scripting, then your system may be compromised.
The driver scenario is similar still. First, when it's signed all that means is that what Microsoft has on their server that they're sending to you and what you receive is the SAME THING. In OSS, of course, we just provide checksums. When you apply this "signing" to an activex control, you're only really getting a signature that says that the download you made was not modified IN TRANSIT. You don't always know if the developer signs shit or not, and there's plenty of useful activex controls that aren't signed. Furthermore, signing it according to Microsoft and Verisign (the Authority mentioned) only costs money. That's it. Just pay a fee.
As for safe for scripting, well, the developer of the control decides that.
So, the bottom line is, regardless of where you get the driver or the activex control, it's still the DEVELOPER or the COMPANY MAKING THE DRIVER that you are trusting with your system. Considering that you trusted them enough to put their hardware in your computer in the first place, you're in something of a rut. And Microsoft's misleading dialogs do a great deal to improve your own position, because you can say "I was duped into thinking it was safe for my kids!".
The wording of the dialog reads to me the same as the words on the game that says "Ages 7+". So my 4-year-old might get hurt by things that would be obviously stupid to the average 7-year old, but the average 7-year-old wont' get hurt by things that are obviously stupid (about the toy, of course).
Like what I said? You might like my music
Crap, I forgot to mention something.
When Verisign signs something (after the developer has paid them), the binary is certified as being the binary that they reviewed. But they don't actually review it, as far as I know. BUT, when your stupid IE tells you that something is signed, that means that the binary you are receiving is exactly the same as the binary verisign received. But this fact does NOT certify that the developer didn't program in vulnerabilities either intentionally or unintentionally.
Like what I said? You might like my music
this attack can be mitigated
Mitigate is not the word you are looking for.
mitigate, v: To make less severe.
I've found another similar vulnerability in Windows IP stack. I'm sure that I am not the first to discover this but, it has existed for a long time and has never been fixed. I have verified the vulnerability on all Windows platforms except XP, which I simply haven't bothered to look at.
The "vulnerability" is very similar in behavior to the one described in the article but, is at the IP level rather than the link layer. The vulnerability has to do with padding of IP packets on Windows systems. Windows uses the contents of one of its buffers (sorry I can't say which one) to pad IP packets.
This is very easily reproducable when sniffing ping packets. The data portion of the packets are padded with the contents of the buffer. There are other utilities that demonstrate this behavior as well, but it is most easily reproduced with a simple ping and the bigger the ping packet the more data you'll see.
If you have been using IE and then sniff ping packets, you will see the data from your previous browsing. If you just logged in, you can sometimes find your password padding the ping packets.
As I said I have verified this on all WIndows platforms except XP. I have also looked for it on numerous Linux platforms and have NOT found Linux to suffer the same vulnerability. That is, Linux does NOT appear vulnerable.
Wow, according to this Windows is NOT vulnerable
According to another post here Linux IS vulnerable
Reading the fluff piece isn't good enough. Go to the source and get the real deal.
If you read the actual CERT Vulnerability note and seen that Windows is not vulnerable.
If you read the CERT Vulnerability note and seen that Windows is not vulnerable.">actual vulnerability note itself you'd see that Windows isn't even vulnerable. So it's linux that has to patch a hole Windows doesn't have.
Well Mr. Coward, you didn't bother to find out that Linux is vulnerable but Windows is not. MS has already issued a statement about this but I see nothing from Linux yet. Looks like the shoe is on the other foot now - haha.
Device Driver Original Description. c A Linux Ethernet device driver for VIA Rhine family chips
3c501.c A 3Com 3c501 Ethernet driver for Linux
3c507.c An EtherLink16 device driver for Linux
3c523.c net-3-driver for the 3c523 Etherlink/MC card (i82586 Ethernet chip)
3c527.c 3com Etherlink/MC32 driver for Linux 2.4
7990.c LANCE Ethernet IC generic routines (AMD 7990 LANCE, local area network controller for Ethernet)
8139too.c RealTek RTL-8139 Fast Ethernet driver for Linux (based on rtl8139.c device driver which is also vulnerable) RTL 8129, 8139 chipsets
82596.c A generic 82596 Ethernet driver for Linux
8390.c A general NS8390 Ethernet driver core for Linux
a2065.c Amiga Linux/68k A2065 Ethernet Driver
aironet4500_core.c Aironet 4500/4800 driver core
am79c961a.c driver for the am79c961A Lance chip used in the Intel (formally Digital Equipment Corp) EBSA110 platform.
ariadne.c Amiga Linux/m68k Ariadne Ethernet Driver
arlan.c This module provides support for the Arlan 655 card made by Aironet
at1700.c A network device driver for the Allied Telesis AT1700
atari_bionet.c BioNet-100 device driver for linux68k
atarilance.c Ethernet driver for VME Lance cards on the Atari
atari_pamsnet.c PAMsNet device driver for linux68k
atp.c Attached (pocket) Ethernet adapter driver for Linux (Realtek
RTL8002 and RTL8012 chips)
bagetlance.c Ethernet driver for VME Lance cards on Baget/MIPS
declance.c Lance ethernet driver for the MIPS processor based DECstation family
depca.c A DIGITAL DEPCA & EtherWORKS ethernet driver for Linux
eepro.c Intel EtherExpress Pro/10 device driver for Linux
eexpress.c Intel EtherExpress 16 device driver for Linux
epic100.c A SMC 83c170 EPIC/100 Fast Ethernet driver for Linux (This driver is for the SMC83c170/175 "EPIC" series, as used on the SMC
EtherPower II 9432 PCI adapter, and several CardBus cards)
eth16i.c An ICL EtherTeam 16i and 32 EISA Ethernet driver for Linux
fmv18x.c A network device driver for the Fujitsu FMV-181/182/183/184
gmac.c Network device driver for the GMAC Ethernet controller on Apple G4 Powermacs
isa-skeleton.c A network driver outline for Linux
lance.c An AMD LANCE/PCnet Ethernet driver for Linux
lasi_82596.c Driver for the Intel 82596 Ethernet controller, as munged into HPPA boxen
lp486e.c Panther 82596 Ethernet driver for Linux
ni5010.c A network driver for the MiCom-Interlan NI5010 ethercard
ni52.c net-3-driver for the NI5210 card (i82586 Ethernet chip)
ni65.c ni6510 (am7990 'lance' chip) driver for Linux-net-3
pci-skeleton.c This driver is for boards based on the RTL8129 and RTL8139 PCI Ethernet chips
saa9730.c SAA9730 Ethernet driver
seeq8005.c A network device driver for the SEEQ 8005 chipset
sgiseeq.c Seeq8003 Ethernet driver for SGI machines
sk_g16.c
smc9194.c A driver for SMC's 9000 series of Ethernet cards
sonic.c
sun3lance.c
tc35815.c
via-rhine
wavelan.c WaveLAN ISA driver
znet.c An Zenith Z-Note Ethernet driver for Linux
Wavelan_cs.c Supports version 2.00 of WaveLAN/PCMCIA cards (2.4GHz)
xirc2ps_cs.c Xircom CreditCard Ethernet Adapter IIps driver
Xircom Realport 10/100 (RE-100) driver.
This driver supports various Xircom CreditCard Ethernet adapters including the CE2, CE IIps, RE-10, CEM28, CEM33, CE33, CEM56, CE3-100, CE3B, RE-100, REM10BT, and REM56G-100.
That's the only explanation that makes sense. He's trying to discredit MS-bashers by providing such an excellent example of false and childish anti-MS claims. The original @Stake paper (don't blame me for the format) not only lists vulnerable Linux drivers, it seems to list only Linux drivers. Windows is mentioned exactly once, and only in a vague afterthought kind of way; the focus is on the vulnerability as it exists on Your Favorite OS.
Slashdot - News for Herds. Stuff that Splatters.
Don't forget that after the vendors fixed it, the new drivers have to be re-certified and signed by Microsoft or their Great OSes[tm] will bark on everyone installing them - which wouldn't shine a bright light on the vendor.
Last thing I remember was that having a new driver certified by Microsoft takes several weeks to months.
An interesting question aside: If so many drivers (if you believe in the article's wording) are affected, why did they pass the Microsoft quality/security "certification" in the first place?
Seems to me that their certification tests aren't worth the bits they're written on - probably they just check that the drivers don't crash the system and so on. (well, and sometimes, not even this.)
42. Easy. What is 32 + 8 + 2?
I can't say that I don't give a fuck. I've just run out of fuck to give.
This is another example of a so called "security team" finding a minor problem and trumping it up to sound like Armageddon is upon us in an attempt to boost their own visibility and credibility.
Executive Summary of Bug:
Many ethernet drivers on many OSs exhibit this problem. It is possible to send a packet to the target machine which triggers the target machine to send back a very short reply packet. Inside this very short reply packet, there maybe be as many as 30 or so bytes of data that should have been zeros. This data is from some other packet recently sent out by the target machine. This data is:
(1) unlikely to be the data you were looking for (2) extremely short
(3) probably was encrypted before being transmitted the first time if it was truly sensitive information
In the real world, there will probably be many better avenues of attacking a machine than attempting to leverage this exploit. Leveraging this exploit will require a lot of patience and good luck, as well as poor security practices on the target's side to begin with. You have many better things to worry about, move along please.
11*43+456^2
Date Notified 06/25/2002
Date Modified 01/09/2003 10:55:58 AM
Status Summary: Not Vulnerable
Vendor Statement
Microsoft does not ship any drivers that contain the vulnerability. However, we have found samples in our documentation that, when compiled without alteration, could yield a driver that could contain this issue. We have made corrections to the samples in our documentation, and will include tests for this issue in our certification process.
If she floats, she's a witch.
Well, it's been discussed on /. that news sites sometimes edit their stories without notice. So, it's possible that the article didn't include the bit about which systems are vulnerable when the poster submitted the story.
I'm not saying that this what happened in this case. On the other hand, the article is three days old.
Still, I agree with you about the assumption regarding Windows.
This is beyond the limits of my networking expertise, but does this mean it's possible for sensitive client or medical information to be passed in the padding?
If so, it seems that this would be a problem with HIPAA.
Granted, the extra bits of a 46 byte packet isn't much space, but then a social security number is only 9-characters.
That's the way I read it too.
OTOH, the point about articles being updated without noice posted was also apropos. It's *not* clear that they fucked up. They may have, or the article may have been edited.
I think we've pushed this "anyone can grow up to be president" thing too far.
"But an ASSUMPTION like above about "Well, there's a problem, it must be Windows!" just makes my ears perk up immediately and want to check the facts. Why doesn't it for the Slashdot editors?"
Because not only do the editors dislike MS, but also because MS richly deserves to never be given the benefit of the doubt, on anything, ever again.
"Gold still represents the ultimate form of payment in the world." - Alan Greenspan, 1999
Windows CAN be vulnerable. Found several locally. Hardware companies using too much Microsoft example code, I imagine.
Simple to exploit.
Mac OS X/Linux:ping -c 1 -s 0 10.10.10.10
Solaris: ping 10.10.10.10 0 1
Windows: ping -n 1 -l 0 10.10.10.10
(where 10.10.10.10 is, of course, target host). Solaris doesn't seem to even want to *send* the echo request with 0 payload. Then again, I didn't investigate that too hard. IOS will definately not let you specify datagram size small enough to exploit (for that matter, it pads the echo request properly, unlike my test Win2k box with Xircom card.
Collect in favorite packet sniffer and observe. In Ethereal, it's added as Trailer under the Ethernet frame. Don't expect it to make sense.
Routers may or may not impede it. Checking about half a dozen local private class C's, I found 20 machines returning frame data. One linux, a few Windows, and a few VoIP devices. Those were crossing a Cisco L3 switch. It sorta routes, it sorta switches. However, as expected, crossing a 7204 easily screws the pooch.
So, for someone on the outside to make use of this, they'll have to break into a machine elsewhere on your network and setup some automatic exploit. To allow that to happen, you've got big troubles already besides already transmitted frame data.
And anyway, 18 bytes of previously transmitted frame data are not much to worry about. If you're not already deploying the basic security that would foil this.. just get out of the game.
Dump the IRS - http://www.fairtax.org
a great many articles/stories done assume windows, and seldom mention any other OS unless it is expicitly stated.
so for most media Computers == Windows.
The Kruger Dunning explains most post on
When I first saw this, I thought to myself, "Surely Steve Gibson's name is on the report somewhere" because this is the sort of lunacy one usually finds his name on.
...and while it's good that the memory leakage is of contiguous bytes (otherwise they'd be entirely useless) seventeen bytes is a _really_ small window for any meaningful data to come through. If you were lucky, you might be able to get part of a (presumeably encrypted) password, or two and a half words from a typical email. It's also possible that fancy arp-foolery would get you *all* the victim's network traffic, making it the long and obnoxious way to go about doing something as simple as sniffing packets.
...What Eweek published about it was downright silly.
Much to my suprise, @Stake's name was on it. Looking further, I see that Eweek has genuinely made a mountain out of a molehill. Seventeen bytes of randomly chosen data can be snatched from a remote machine, provided it's literally in the same building as the attacker, and provided it's got a cheap-o network card. Pardon me while I quake in fear for the safety of the little children.
Why do we have to be in the same building? Because if the packet in question goes through most routers, they're quite likely to crumple the bits up and throw them away because of it's past use as a means for covert communication.
Their statement about it being "trivial to exploit" should have stopped at just saying it was "trivial". It was good of @Stake to bring this to the attention of programmers, although quite possibly publishing in PDF format made it look a little more important than it really is.
The cost in time needed to pad the frame out to 46 bytes is about the same as the time needed to copy the data over from some buffer when the frame actually is 46 bytes. Now if the driver is so high performance that it never copies anything, and is transmitting into hardware straight from the originally queued packet buffer, then yeah, padding to 46 bytes at this point does cost a wee bit. But how often are you sending so many packets less than this size and needing the performance in the CPU? It's not an issue at all with larger packets.
now we need to go OSS in diesel cars
There is absolutely NOTHING wrong with this being easy to do! Would you prefer to have to do ten complicated steps to accomplish the same task??? It still will not prevent it from being done and will only take more time.
The fault lies in how easy it is to convince most people to assign admin privileges to someone else.
I will, however, agree that administative privileges are handed out many times when not necessary.
---"What did I say that sounded like 'Tell me about your day?'"---
Hmm... Too bad the facts are in your way. Of course, I understand that FUDers don't bother looking at facts.
You quitting proves that the karma kap worked. The most annoying of the whores shut up. --CmdrTaco
Thanks to some vagueness in the standards defining IP datagram transmission on Ethernet networks, it's not entirely clear exactly how the padding should be done. Some implementations do it on the NIC, while others handle it in the software device driver
Ding! This means that all NICs that have the problem have that problem under any OS unless the card can be overcome by software. Additionally, "software drivers" under any OS can have the same problem.
Is the problem more likely under, M$ junk? Of course it is. The free software world will move to fix any driver problems, and there are only a few dozen drivers in the world to work the thousands of different brand name cards. The closed source world has thousands of drivers to fix by companies that may not even exist anymore, and because it's closed and the user won't know any better, why would anyone bother?
Of course this completely ignores whole models that are available in the free software world to prevent such problems of untrusted networks in the first place. I don't really care if my NIC pads packets with chunks of the last SSH packet. Encryped noise is just that and you can have as many packets as you like of it. If you played it over a speaker it would sound like this "Shushshhshhhshhhhhshhhhsh!" and I sugest you do shush.
Friends don't help friends install M$ junk.
The Microsoft statement says that Windows doesn't ship with the bug and no 3rd party driver shipped with Windows have the bug but if you build your own driver from their sample code in the Device Driver kit without changes then it is possible that your code could have the bug. And that they're changing the sample code to include the fix in the source. Maybe drawing a conclusion based on what's written would be better than just "MS are weasels"
Heh! What this means is the same thing as always. Your network security is only as good as your weakest link. If you have an M$ box on your local net and someone owns it, as is so easy to do, it can sniff packets from other silly OS that don't use SSH or similar for ALL local comunications. Let's say I type a password on a local computer and that password gets padded into that ethernet frame. Ha, the M$ machine has got you. A more sinister device to leak, would be your "broadband router" box that sits next to your cable modem. If it leaks and you have an owned M$ box on your network, that M$ box can be used to request small packets through the router and thus sniff your whole network's traffic. Failure and comprimise are generally the result of a combination of minor flaws, unless you are M$ and you just make an email client that automatically executes code, sound and what not from unknown third parties. The weak link breaks a chain.
Friends don't help friends install M$ junk.
Like other posters have stated, Windows is vulnerable with the NIC drivers being the problem. Microsoft claims it doesn't ship bad drivers but my Xircom CardBus Ethernet II is vunerable (Win2k). I believe I got the driver on Windows Update :).
First off, the linked eWeek article specifically states:
Not to defend eWeek's journalistic or technical integrity, but they do a pretty good job of summing up the pertinent facts... such as the vulerability affecting the above implementations.
Secondly, This is a Hyperlink. They are sometimes used on the World Wide Web, to link relevant and useful resources together. Had you followed this particular link, you would have found the CERT advisory about the problem AND a link the @Stake's own advisory and white paper about the problem.
Thank you
WHY would you assume that? Just from the blurb the poster included it immediately seems the kind of oversight that would have the POTENTIAL at least to affect multiple systems.
It's called dogmatism.
There's a significant number of Open Source advocates, including nearly all Slashdot editors, who take it as an article of religious faith that Linux has no bugs, Windows has three bugs per line of code, and other operating systems simply do not exist.
Thus, when they see "flaw found in...", they automatically assume it must be in Windows, and if it ever occured in Linux, it must have been fixed a long long time ago.
A Government Is a Body of People, Usually Notably Ungoverned
...you have tons of better ways to do this. Put a key sniffer on his keyboard, or listen to the EM-field of his screen or bug his place. Or simply get a life.
Kjella
Live today, because you never know what tomorrow brings
How much sensitive information could be in less that 46 bytes? Granted, it's a bad programming practice, but seriously, what are the odds that something important like the formula to Willie Wonkas Ever-lasting Gobstopper would be in those padded bytes?
Based on the typical internet usage, I'm guessing they'd get up to 45 bytes of flesh-tone JPEG data, or the words "you to can have up 3 or 4 inches added to yo".
-- You can't idiot-proof anything, because they're always coming out with better idiots.
A lot of equipment in a network uses 9 consecutive 0's as an alarm signal. Hence the telcom standard of using 6 0's then 6 1's as the "pad" (oh and yes you do have to check for 9 legit 0's in a row and make "adjustments") I can see it now every time my nic sends a short packet alarms are going off all over the telco route.. *grin*... the other point is. Just because it does it... doesn't mean it's signifigant. In other words is enough real data leaked and is it leaked in a consecutive manor. Can I reconstruct useful info from this data or is this an over reaction of coulda woulda shoulda maybe might. In other words if I send 10000 packets of data with 1% short that means 10 short packets. Now if this is taken from random data streams on the box in a real time manor then it won't be
:)
A. Consecutive data
B. Enough to construct meaningful information.
I don't really think you have to worry about your credit card numbers being transmitted in the clear here. Now if you have a system that is constantly transmitting (a number of systems do, do this ) then you do have a serious leak. In two seconds of continuous transmission a lot of data can get out if it's 100% padding. Maybe we can finally get the source code to M$ this way by monitoring what comes out of Redmond
I'm sorry, I'm to tired to be witty at the moment so this message will have to do.
Microsoft does not ship any drivers that contain the vulnerability. However, we have found samples in our documentation that, when compiled without alteration, could yield a driver that could contain this issue. We have made corrections to the samples in our documentation, and will include tests for this issue in our certification process.
My reading: Microsoft doesn't make any vulnerable drivers (Microsoft doesn't make (m)any Ethernet drivers). Their sample code is vulnerable, and in the future they will be testing drivers for this bug before certifying them. -- Current MS certified drivers May be vulnerable -- especially if they used MS's suggested code snippet.
In short, YMMV.
OS Software is like love: The best way to make it grow is to give it away.
Unless you've personally tested your driver, I'd play it safe and go with the statement of the publishers: Linux, NetBSD, and Windows are vulnerable.
You also seem to wish that Linux would relase a statement. Linux cannot release a statement. Linus can. Red Hat can. Mandrake can. Linux cannot. Windows cannot. Cobol cannot. VB Script cannot.
Looks like the shoe is on at least three feet now, but some of the feet appear to be in denial. Oh, and "haha" doesn't help your post look informed or intelligent.
Copyright Violation:"theft, piracy"::Anti-Trust Violation:"thermonuclear price terrorism"<-Overly dramatic language.
I suppose you've never heard of packet fragmenting, then?
Yes, I've heard of it. And unlike you, I actually know how it works in relation to PMTU discovery.
MTU discovery tries to ensure that your packets won't be fragmented by routers, but if you send larger packets, they'll be fragmented by routers
No, they won't.
PMTU discovery works by setting the "DO NOT FRAGMENT" bit of the IP header. Packets that are too large are dropped, NOT fragmented, and an ICMP message is sent to the originating host, telling them to re-send a smaller packet.
If you're gonna correct someone, make sure you know what you're talking about first.
Once a PTMU has been calculated, the data packets should not be marked DNF, as the path may change as routers change states, and the PTMU may change and fragmenting still occur.
I can't say that I don't give a fuck. I've just run out of fuck to give.
For the PMTU, yes it's marked DNF
OK, so what's your point then? (Oh, and it's marked 'DF', not 'DNF')
The host computer should be intelligent enough to send a smaller packet after enough DNF packets disappear into the ether.
"Should be"? First, we're talking about what "is" and "isn't", not "should be"... and second, no, it SHOULDN'T be.
If the host is just going to assume that a dropped packet is due to someone misconfiguring their firewall - and not just because the packet was dropped for some other reason - what happens when "enough" packets disappear because of some other reason (like, say - temporary link outages, congestion, etc..)?
The "intelligent enough" host begins making it's packets smaller, which causes more overhead for the troubled link. If the dropped packets are because of congestion, you're actually making the problem worse instead of better (because smaller packets impose higher overhead on a network, both because the payload is smaller relative to the packet size, and there are more packets for the routers to process.)
Once a PTMU has been calculated, the data packets should not be marked DNF
Try reading RFC 1191, which describes PMTU discovery, and directly contradicts your statement.
Section 6.3 (Purging stale PMTU information) states this: "Because a host using PMTU Discovery always sets the DF bit" (emphasis added.) Seems the guys who invented PMTU discovery disagree with you.
data packets should not be marked DNF, as the path may change as routers change states
This is the perfect reason why hosts should continue to set the DF bit, not a reason why they shouldn't.