Slashdot Mirror
XP/Vista IGMP Buffer Overflow — Explained
HalvarFlake writes "With all the hoopla about the remotely exploitable, kernel-level buffer overflow discussed in today's security bulletin MS08-0001, what is the actual bug that triggers this? The bulletin doesn't give all that much information. This movie (Flash required) goes through the process of examining the 'pre-patch' version of tcpip.sys and comparing it against the 'post-patch' version of tcpip.sys. This comparison yields the actual code that causes the overflow: A mistake in the calculation of the required size in a dynamic allocation."
>This comparison yields the actual code that causes the overflow:
>A mistake in the calculation of the required size in a dynamic allocation
I hope no one else makes this mistake.
Hooray! Windows vulnerabilities are so commonplace now that there are public educational documentaries about their life-cycles and internals, so that the people can stay informed. Brilliant!
OMG! I thought it might be a bug, but thankfully it's just a mistake!
Engineering is the art of compromise.
Darn pesky kids and their fancy buffer overflows. I outta HEAP on the insults, but I'll try to stick to my PROGRAM of keeping my smoke STACK cool.
512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
Or you could read about it on the Security Vunerability Research and Defense blog at http://blogs.technet.com/swi/
I smurf everything and everything I smurf is perfect.
I see things like this as an argument in favor of moving stuff off of the CPU and into dedicated hardware. Why should your CPU be tied up with things at this level? The absolutely overwhelming majority of all data on every network uses one of two network layer protocols (IPv4 or IPv6) and one of two transport layer protocols (TCP or UDP). Why shouldn't those four combinations be handled by hardware, so we can leave the computer to run the applications? We already do this with 3d rendering, why not networking?
Do you have any idea how many millions of ethernet cards have been sold? Are they all going to be made obsolete?
These days CPUs are so fast that the minor overhead of a network driver is negligible, unless you're going to ultra-fast speeds (some high-performance network cards do offload this to hardware).
However, you still could have buffer overflows in the network drivers/firmware.
The difference is that if it was FOSS, they'd be able to see the comment saying "// this doesn't match the specs but it worked for me in the test I did, so the specs must be wrong."
so? He did something (some) people consider cool.. why shouldn't he stand to gain from telling people about it?
Slashvertisment used to mean that you were claiming Slashdot was taking money to advertise something as a story. You seem to be using it to refer to anyone who submits their own website to Slashdot. Attention whore? Yes. Slashvertisment? No.
How we know is more important than what we know.
Because TCP and UDP headers aren't of fixed sizes and as such are incredibly difficult to handle in hardware. Hardware switching has been tried - ATM for instance - but it's not that simple. TCP/IP was designed as a software protocol, and it's an unfortunate reality that some protocols are easily handled in hardware and others are not.
IPv6 makes some steps towards having simpler hardware handling, but as long as IPv4 is still around, we won't see hardware switching become commonplace.
TCP/IP offloading is already done on-chip by several network cards. Spend $10-$50 more on a network card and you would get it. Off course a lot of TCP/IP is still handled in the kernel of the OS just because it is too flexible to be done on-chip. Off course, if you need more performance along the lines of firewalling or traffic shaping, you could get an external appliance that handles it.
Custom electronics and digital signage for your business: www.evcircuits.com
Actually, there's one more comparison they've screwed up. Anyone who has installed the Event ID 4226 patch to increase the allowed number of half-open connections so their BitTorrent speeds don't suck ass just had that patch undone by this new version of TCPIP.SYS.
:-] Oh, and I'll add one more detail not mentioned here. According to F-Secure, there haven't been any exploits for this found in the wild--yet.
The only good thing is that, while the page hasn't been updated since 2006, the patch seems to work on the new TCPIP.SYS (I just tested it on my own machine).
I realize I'm sort of hijacking the first post, but given how many of us are probably downloading Linux ISOs right now, I figured it's important enough that people wouldn't mind a reminder...
While I don't necessarily disagree with you... feel free to release your patch to tcpip.c and give us a link to the updated source file as soon as you get a chance ;)
Sometimes, if a closed-source vendor isn't going to release an update/fix/tweak, the community has to do what they can to do it. Given what many people use Bittorrent for, I suspect getting a rootkit from this patch is the least of their worries. The rest of us will either just have to trust it, use BT on a non-Windows platform, or deal with the slower speeds.
This does bring up an interesting possibility - rather than completely reimplement Windows through something like ReactOS, or translate the API like WINE, how about replacing components of a real Windows install with F/OSS replacements? Drop in a workalike, but open source tcpip.sys and know where it's coming from.
> Seriously though, WTF? That's a rootkit technique.
Rootkits use a lot of techniques that are also used by legitimate software. Yes, that patcher (and its patch) does get detected by a few anti-virus programs because worms, like torrents, benefit from being able to connect to more peers. It's not a virus in or of itself, though, plenty of people have checked it out.
> Changes of this nature should be made to source code, not binaries. It's way more maintainable and sustainable that way.
I fully agree, but it's kinda hard to get the source for Microsoft programs. Last I heard, you had to be a big university, pay tons of money, sign NDAs, etc. Besides, this limitation wasn't an accident. It was a deliberate "feature" they put in because they thought it would slow down worms. They're not going to fix it just because people ask.
(Not the original AC.)
"Bluto's right. Psychotic, but absolutely right."
- Otter, Animal House
OK, so Win9x wasn't a real OS. It had no security model. That was its unfixable weakness (instability), but that was also part of its salvation.
No network-aware services listening out of the box? No remote-unattended exploits!
And when/if something broke due to the instability - even something as bad as "registry corrupted - don't even fantasize about getting your GUI back", you just booted to DOS, extracted a "good" version of the reigstry from the last five copies in .cab files in C:\WINDOWS\SYSBCKUP, typed a few "ATTRIB" commands (i.e. chmodded it to be writable) and overwrote the "bad" user.dat and system.dat with ones that worked.
The 9x UI wasn't any better/worse than XP or Vista. How many of us took one look at XP's Fisher-Price interface and immediately "downgraded" it to the Win2K look?
Boot speed? My last gaming rig was a Pentium IV, 2.4 GHz, running at 3.2 GHz, 512MB RAM and a 120GB drive, and the fucking thing went from power-on to full-GUI-running-and-no-hard-drive-activity in 15 seconds. There were configuration files you could edit to support 1GB and (by replacing/patching WINDOWS\SYSTEM\IOSUBSYS\ESDI_506.PDR) hard drives over 128GB.
Once upon a time, Linux wasn't ready for the desktop. During those years, Win9x rocked. Crappy multi-user OS? Guilty as charged. Useless for a server? Absolutely. But as a single user OS/program-loader, it was hard to beat. DRM? Product activation? What's that?
Because as we all know, manual memory allocation is hard to understand. Programmers shouldn't have to know basic math, right?
Why don't we just make a language that does it automatically, and then we won't have any problems like this? Right?!
Those of us who cut their teeth on assembly and C look at this and just wonder in wide amazement. A part of us wonders how anyone could be so negligent - but the other part knows how things work in proprietary software shops. (A hint - the management doesn't consider it a bug unless the customer notices it.) Yes, we've all done this before, but the solution isn't to create a language which dumbs down the programmer (Dude - you're writing directly to memory!!! You must be some kind of uber-hacker!!). Rather, there are steps you can take to virtually eliminate this kind of problem:
You know, there was a time when formal methods were taught, when programmers were expected to know how to properly allocate and release memory. When things like calculating the size of the buffer, applying basic math(!) and testing your own code were considered just a part of the programmer's job. Now we're hearing people blame languages for the faults of the programmer.
If I keep going, I suppose I'll start to sound like Bill Cosby. But consider this: the most reliable operating systems to date were built on C (UNIX) and assembly (MVS). If a bunch of old farts (well, perhaps they were young then...) can crank out correct, reliable, fast code without an IDE and a bunch of GUI tools, clearly the language is not to blame.
The old adage still applies: a poor workman blames his tools . Software engineering works, regardless of the implementation language. This isn't a failure of the language or the environment, but rather, failure to do software engineering right:
The society for a thought-free internet welcomes you.
There is a real point to his argument. It also happens to be the real flaw in his argument...
The only real reason to "upgrade" something is if you need something more. For business, need should be defined as something that will do a business function that will make money, replace labor, acquire additional business related information of value, etc... It has to do something you truly need. If all you any business need for is a computer that runs a word processor then he has a genuine point. It assumes that there is no other piece of software that serves a valid business need that anyone else might need.
A number of pieces of software have been written that require a later OS that fulfill a number of very valuable ($$$) tasks. Also Win 95 is only stable if you have hardware with extremely good drivers under it, a limited number of processes/programs on top of it, and your continuous up-time requirements are somewhat limited. This makes 95 a long way from being the one-size-fits-all solution. (I have one Win 95B station at my desk just to do drive data recovery and to do a few file tasks that XP doesn't want to let you do...)
Using that same logic there isn't a valid reason for almost anyone to use Vista instead of XP. Plus there is the "Business downside" of the end users having to relearn how to use computers that they already knew how to use.
Vista's big offerings are two fold:
- One is what I call the "raccoon" factor. Give people something bright and shiny and their eyes will roll back in their head as they start to murmur, "Gimme, gimme, gimme..." as you can hear the words, "It is new!" echoing softly in the background. This offers them nothing that is real but it does drive people amazingly hard. Look at the number of people that paid $100+ premiums to have an iPhone in the first week of release. A month later no one including themselves remember that they got their phone early and it certainly didn't pay any dividend for the expense but they will do it again: They are raccoons!
- Two, Vista includes huge DRM underpinnings. After XP was released Bill Gates publicly stated they the next version of Windows wouldn't be an OS but instead it would be a Digital Rights Management Platform. This does nothing for us but does plenty for Mickeysoft and the big media companies. I notice they aren't mentioning that fact any more either!
Basically Microsoft wrote a new OS for themselves instead of us and they made it really visually flashy so the raccoon in all of us will want to roll our eyes back in our head and buy it. The fact that they forgot to put anything we actually need in it has made its adoption really tank. The only real reason they have sold any volume of it is that you almost can't buy a computer without it. To help the process along Microsoft has pushed for new hardware that doesn't have XP driver support and you will start to see programming tools with limited or missing XP support.
We are coming up to a point where we are looking at a future where we could lose control of what is on our own computers! Vista is already trying to decide if you should be able to access your own files that are already on your computer! Take this fact and combine it with the whole limitations being rammed down our throat with HDTV and we are looking at being consumers that are buying things that we have no control over. A computer could easily act as a HDTV 'VCR' because that is an amazingly simple function but we have been forced to buy into a system where that isn't allowed. The only HDTV VCR like devices are subscription ($$) based!
You are being quietly guided into a world where you will tithe endlessly to corporations for simple things that in the past you could buy once and be done with. MS has tried to make the OS subscription based. (tithe) Limited number of play media files are subscription based. (tithe) Buying a cell with an MP3 player in it that you will just replace in a year or two is ano
But that is the primary reason for
"(I have one Win 95B station at my desk just to do drive data recovery and to do a few file tasks that XP doesn't want to let you do...)
"
Why?
Seriously, what can it do that XP can't? I'm interested.
File tasks are usually (IMHO) much better donw under Linux, which doesn't try to stop you doing anything.
I don't know about him but the workstations at my work run either win 95 or if your lucky win 98se.
Why because with the NT line MSFT broke a lot of other companies networking protocols. So we wouldn't be able to connect to the server, which stores all files and applications.(The win95 machines being not much more than dumb terminals). Windows XP won't work as said server company never made a proper upgrade path for such a configuration. Linux might, but I would need an old school netware guru, and someone with enough knowledge of linux to configure netware inside linux but also Dosbox. As all the applications are Dos based. when this setup was first deployed Linux was at 0.9 something.
Then you have to figure out how to sell it to a computer illiterate cheapskate boss.
i thought once I was found, but it was only a dream.