MS09-048 is Microsoft's Revenge Against XP in the Enterprise
MS09-048 worries me. Non-Affected Software
Operating System
Windows XP Service Pack 2 and Windows XP Service Pack 3*
How are default configurations of Windows XP not affected by this vulnerability?
By default, Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability. For the denial of service to succeed, an affected system must have a listening service with an exception in the client firewall. Windows XP Service Pack 2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network.
Someone please tell me I am misinterpreting this. It looks to me like this is bad news for the enterprise that operates any listening services on their Windows XP systems. Oh, I don't know, maybe something like Microsoft SMB/CIFS? In other words, if you expose a service within the enterprise, and you allow other systems to connect to it, then you are vulnerable to MS09-048 -- and Microsoft isn't publishing a patch for XP SP2 or XP SP3?
What's worse is that I can't tell if XP SP2 or SP3 is vulnerable to this vulnerability in MS09-048:
TCP/IP Timestamps Code Execution Vulnerability - CVE-2009-1925
A remote code execution vulnerability exists in the Windows TCP/IP stack due to the TCP/IP stack not cleaning up state information correctly. This causes the TCP/IP stack to reference a field as a function pointer when it actually contains other information. An anonymous attacker could exploit the vulnerability by sending specially crafted TCP/IP packets to a computer that has a service listening over the network. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
So, at best we have an unpatched vulnerability that lets anyone in the enterprise remotely crash any XP SP2 and XP SP3 system with at least one listening service (139, 445 TCP) that the attacker can reach. At worst we have an unpatched vulnerability that lets anyone in the enterprise remotely exploit any XP SP2 and XP SP3 system with at least one listening service (139, 445 TCP) that the attacker can reach.
Does anyone know if TCP/IP Timestamps Code Execution Vulnerability - CVE-2009-1925 applies to XP SP2 or XP3?
Incidentally, running Microsoft Update on a Windows XP SP3 system does not show a patch for MS09-048 as available.
Comments
But my first read, and yours, is correct. Microsoft is just playing dumb by saying a default config has no listening services...but once a user gets on the system, it basically ends up with listening services almost without exception.
But your second question is very valid, and I wish I knew the answer. Basically, is XP then vulnerable to just a DOS or also the remote code exec?
If you look at the "Vulnerability Severity Rating..." table you'll see that CVE-2009-1925 does not affect 2000, and 2003. I suppose this means that the vulnerability appeared on newer code introduced in Vista.
MS09-048 should still apply to XP for the two other DoS vulnerabilities and the reasons you mention.
Not sure if it really sheds light on much, but hopefully if people ask more questions they will post some follow-ups on the MS SRD blog.
I don't know if I agree with you regarding the revenge factor. Most large enterprises I have worked in don't use the Windows XP firewall (the 275,000 seat enterprise I work in now uses a 3rd party product). Microsoft probably knows this and while I like to vilify Microsoft whenever possible, I am not convinced that this particular circumstance is "part of the plan". If the vulnerability is only present when the firewall is configured and active, then I would suggest that not as many enterprises as one would suppose would be vulnerable.
The blog mentions Toeplitz hash while talking about CVE-2009-1925.
The mention of hashing could be a clue that the vulnerability has its roots in RSS (Receive side scaling).
Here is my take on it. (Wild guess)
1. The hash is used by RSS to map flows to processors.
2. The hash is not the cheapest to compute. So it is calculated only if a listening service in userland responds to an incoming packet (eg, TCP syn). This explains the note by Richard that you need an exposed listening service. Any service will probably do.
3. Once computed for a flow the hash is probably stored in the TCP state structures. Since the hash always maps a TCP flow to the same value, looking up the precalculated hash presents opportunity for an optimization.
4. It might be possible to overflow the TCP control structures (TCBs) and the mapped hash values in such a way that will result in the lookup of an invalid hash. This might bugcheck because it trips in the kernel. Hence the system DoS.
This does not explain the role of TCP Timestamps in this exploit. Also no idea how it could be used for RCE.
What do others think ?
http://www.microsoft.com/technet/security/bulletin/ms09-048.mspx
No further mention that they won't be patching or why.