Let's see if we can reduce this problem. Is this the sequence of cause and
effect described in the bulletin?
1. Start with XP SP1 with ICF off and ICS on (a home user using dialup and
bridging to the rest of their home network comes to mind and is still
common, I believe)
2. Upgrade to SP2
3. "As soon as you install SP2 on a Windows XP PC with a certain
configuration, your file and printer sharing data are visible worldwide,
despite an activated Firewall."
I think = Ports 137, 138,139, 445 are open and unfiltered on any interface,
file and printer sharing is available for network login from any network (I
guess)
4. "This also applies to all other services." Now, all ports and running
services are available on all interfaces?
5. "The PC only has to provide sharing for an internal local network and
connect to the Internet via dial-up or ISDN" Now, ICS is enabled?? On the
dial-up of ISDN??? Or do they mean have file and print sharing enabled on
an interface (trusted interface = internal)? Wha?
6. "Additionally, Internet Connection Sharing of the PC has to be disabled."
OK, must mean no ICS.
So, without building a default XP build adding SP1 and then doing the above
upgrade to verify, I think the bulletin is saying that SP2 upgrades with ICF
off and ICS enabled, that this setup will not propagate a 'secure by
default' configuration upon upgrade. Certainly, the configuration can
easily be fixed and the risk mitigated, but unsophisticated users will never
know to fix this on their own (or not 'secure by default').
To speculate, maybe the starting configuration, which bridges interfaces and
therefore doesn't allow access control in the default MS implementation, has
the interface objects in a state that passes object properties to all
objects in the upgrade rather than just the SP2's expected object set.
Fred Langston, CISSP
Principal Consultant
VeriSign, Inc. Global Security Consulting
M: 425.765.3330 O: 206.903.8147 x223
-----Original Message-----
From: Laura A. Robinson [mailto:laurarobinson (at) earthlink (dot) net [email concealed]]
Sent: Wednesday, September 22, 2004 5:14 PM
To: 'Thor'; focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: Serious Security Issue in Windows XP SP2's Firewall
Inline with snippage... (but in a nutshell, your instincts are correct, Tim)
> > In other words, this caused the service to be released
> worldwide through
> > the dial-up connection as soon as you were connected to the
> Internet.
Um, what are these people smoking? They're saying that when you establish a
point-to-point dial-up connection and have F&P Sharing enabled, you're
somehow magically exposing your machine to the planet?? Am I
misunderstanding their claim?
> > Microsoft at that time issued an update to patch the bug.
> The fact that
> > file and printer sharing since then is not connected to the dial-up
> > connection anymore, can easily be seen on your system:
> Right-click on the
> > symbol "My Network Places" and select "Properties". Repeat
> the right-click
> > and selection with the icon of your dial-up connection and
> select the tab
> > "Settings". If there is no check at "File and Printer Sharing", it
> > indicates that this service should not be made available
> through your
> > dial-up connection.
I cannot confirm or deny that this is a default setting as I have FPS
disabled on all of my connections and do not recall what the default
settings were.
> >
> > This in fact is true for Windows XP without Service Pack.
> Since SP1, this
> > configuration is hardly more than cosmetics and does not
> serve any purpose
> > anymore. This means, the file and printer sharing service
> >is connected in
> > general, also to the dial-up network adapter.
Okay, call me thick or confused, but what does this mean? What are they
talking about- A dial-up adapter, or a network adapter? Is this a
translation thing? I have absolutely no idea what the above is supposed to
say.
>> This in
> itself is a serious
> > bug, since your shared data potentially could be seen on
> the Internet.
Gee, now it's not "the world" and it's only "potentially"?
> > However, there are no catastrophic effects, as every
> dial-up connection is
> > configured with an activated firewall by default.
> >
> > If you intended to deactivate this firewall, Windows
> displayed an easily
> > recognizable dialog, that this choice would allow access to
> your computer.
> > Despite the bug in SP1, the configuration of the firewall
> was worked out
> > in a clean way: You were able to run the dial-up connection with a
> > firewall and the internal network card without, because the
> latter was
> > supposed to enable access through the Windows network.
Okay, fine, whatever. I have some of my connections firewalled and others
not. That didn't change with SP2.
> >
> > SP1 + SP2 leads to a catastrophic error
> >
> > Due to the bug carried over from SP1 as well as a new bug,
> the firewall
> > configuration with SP2 has a catastrophic effect. The SP2
> installation
> > simply uses the previous configuration of the firewall: If
> it was active
> > for the dial-up connection, now it also has been activated
> for the network
> > adapter.
Are they talking about the enabling of the firewall? If so, they're wrong.
Are they talking about the enabling of FPS system-wide? If so, they're
wrong. Are they saying that *if* a luser, er, user were to do something like
go and enable FPS on a dial-up connection but not on a LAN connection, that
installing SP2 would then enable FPS on the network connection, as well? If
so, I have no idea if it's true as I'd not do something like that. However,
I see nothing on my system to indicate that this is true.
> >
> > At the same time, an exception is determined for file and
> printer sharing:
> > For the internal network card - and astonishingly also for
> all adapters.
Not on my machine. At all.
> >
> > With the first use of the dial-up connection after
> installing SP2, all of
> > your shared data are available on the Internet.
Okay, this is just a stupid statement.
> Now, other
> users can start
> > guessing your passwords for administrator and guest and you
> basically are
> > no more secure than the first Windows 95 users with an Internet
> > connection - thanks to Service Pack 2.
See above.
> >
> > How to correct the problem
> >
> > It is not advisable to keep this defective default
> configuration. However,
> > the previous environment cannot be restored: The
> configuration for the
> > firewall was changed, which does not allow the setting of active or
> > inactive conditions or exceptions for each network adapter
> anymore. Now
> > this only works for network areas.
BZZZZZZT! Wrong again, kiddies. They need to investigate the Advanced tab in
the Windows firewall better. I just allowed 3389 on one and only one of my
connectoids. In *fact*, on that Advanced tab, the very first chunk of text
reads:
"Windows firewall is enabled for the selected connections below. To add
exceptions for an individual connection, select it, and then click
Settings."
You can even <gasp!> *pre*-set exceptions for connections on which the
firewall is not currently enabled! Neat-OH!
> >
> > Choose "Windows Firewall" in the in the Windows Control
> Panel and the
> > there the tab "Exceptions". Select "File and Print
> Services" and click on
> > "Edit". Now you can see four ports which are used by the
> file and print
> > sharing service.
> >
> > To lock the service to the outside and keep it open for the
> internal LAN,
> > you have to individually select and change its area with
> the respective
> > button.
And the point is?
> >Our reader Yves Jerschov notified us of another
> > bug: The value for
> > the area set by default "Only for own network (Subnet)"
> only works, if the
> > Internet Connection Sharing is activated.
My apparently magic computer disagrees with Yves. I do not have ICS on any
of my connections. I do, however, have "Only for own network (subnet)"
available for each exception. I click the little radio button and SHAZAM! It
works.
This is ridiculously easy to test. (even when it involves hobbling on
crutches from one room to another- only for you, T., do I do these things.
;-) )
1. Make sure that the XPSP2 box has Remote Desktop enabled.
2. In the Windows Firewall exceptions, ensure that your connection (I
recommend having only one active connection during this testing for obvious
reasons) allows Remote Desktop (TCP 3389) from "the world".
3. Go to a machine on another subnet and remote in to the XP box. Verify
success.
4. Okay, now the fun part. Since you're already remoted into the XP box,
change the firewall setting to (subnet) for TCP 3389.
5. Disconnect your session.
6. Attempt to reconnect. Oh, my goodness, it doesn't work anymore. Must be
that there firewall thingie that don't werk unless you use ICS on one of
your connections. Puhleeze.
> > If this is not
> the case, your
> > shared data are visible worldwide.
Aside from the fact that their premise is incorrect, this is not quite the
case even if it *were* correct.
> > This error can be
> corrected by choosing
> > "User defined List" and entering the IP addresses that are
> supposed to
> > have access - the IP addresses of your LAN. A whole range
> of an IP area
> > can be entered as "192.168.x.0/255.255.255.0", if the
> respective addresses
> > start with 192.168.x.
See above.
> >
> > After these measures, you can be sure to be as safe as you
> were with SP1.
> > Great, don't you think?
I think I'd really like to know what these guys consider a testing
methodology.
Let's see if we can reduce this problem. Is this the sequence of cause and
effect described in the bulletin?
1. Start with XP SP1 with ICF off and ICS on (a home user using dialup and
bridging to the rest of their home network comes to mind and is still
common, I believe)
2. Upgrade to SP2
3. "As soon as you install SP2 on a Windows XP PC with a certain
configuration, your file and printer sharing data are visible worldwide,
despite an activated Firewall."
I think = Ports 137, 138,139, 445 are open and unfiltered on any interface,
file and printer sharing is available for network login from any network (I
guess)
4. "This also applies to all other services." Now, all ports and running
services are available on all interfaces?
5. "The PC only has to provide sharing for an internal local network and
connect to the Internet via dial-up or ISDN" Now, ICS is enabled?? On the
dial-up of ISDN??? Or do they mean have file and print sharing enabled on
an interface (trusted interface = internal)? Wha?
6. "Additionally, Internet Connection Sharing of the PC has to be disabled."
OK, must mean no ICS.
So, without building a default XP build adding SP1 and then doing the above
upgrade to verify, I think the bulletin is saying that SP2 upgrades with ICF
off and ICS enabled, that this setup will not propagate a 'secure by
default' configuration upon upgrade. Certainly, the configuration can
easily be fixed and the risk mitigated, but unsophisticated users will never
know to fix this on their own (or not 'secure by default').
To speculate, maybe the starting configuration, which bridges interfaces and
therefore doesn't allow access control in the default MS implementation, has
the interface objects in a state that passes object properties to all
objects in the upgrade rather than just the SP2's expected object set.
Fred Langston, CISSP
Principal Consultant
VeriSign, Inc. Global Security Consulting
M: 425.765.3330 O: 206.903.8147 x223
-----Original Message-----
From: Laura A. Robinson [mailto:laurarobinson (at) earthlink (dot) net [email concealed]]
Sent: Wednesday, September 22, 2004 5:14 PM
To: 'Thor'; focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: Serious Security Issue in Windows XP SP2's Firewall
Inline with snippage... (but in a nutshell, your instincts are correct, Tim)
> > In other words, this caused the service to be released
> worldwide through
> > the dial-up connection as soon as you were connected to the
> Internet.
Um, what are these people smoking? They're saying that when you establish a
point-to-point dial-up connection and have F&P Sharing enabled, you're
somehow magically exposing your machine to the planet?? Am I
misunderstanding their claim?
> > Microsoft at that time issued an update to patch the bug.
> The fact that
> > file and printer sharing since then is not connected to the dial-up
> > connection anymore, can easily be seen on your system:
> Right-click on the
> > symbol "My Network Places" and select "Properties". Repeat
> the right-click
> > and selection with the icon of your dial-up connection and
> select the tab
> > "Settings". If there is no check at "File and Printer Sharing", it
> > indicates that this service should not be made available
> through your
> > dial-up connection.
I cannot confirm or deny that this is a default setting as I have FPS
disabled on all of my connections and do not recall what the default
settings were.
> >
> > This in fact is true for Windows XP without Service Pack.
> Since SP1, this
> > configuration is hardly more than cosmetics and does not
> serve any purpose
> > anymore. This means, the file and printer sharing service
> >is connected in
> > general, also to the dial-up network adapter.
Okay, call me thick or confused, but what does this mean? What are they
talking about- A dial-up adapter, or a network adapter? Is this a
translation thing? I have absolutely no idea what the above is supposed to
say.
>> This in
> itself is a serious
> > bug, since your shared data potentially could be seen on
> the Internet.
Gee, now it's not "the world" and it's only "potentially"?
> > However, there are no catastrophic effects, as every
> dial-up connection is
> > configured with an activated firewall by default.
> >
> > If you intended to deactivate this firewall, Windows
> displayed an easily
> > recognizable dialog, that this choice would allow access to
> your computer.
> > Despite the bug in SP1, the configuration of the firewall
> was worked out
> > in a clean way: You were able to run the dial-up connection with a
> > firewall and the internal network card without, because the
> latter was
> > supposed to enable access through the Windows network.
Okay, fine, whatever. I have some of my connections firewalled and others
not. That didn't change with SP2.
> >
> > SP1 + SP2 leads to a catastrophic error
> >
> > Due to the bug carried over from SP1 as well as a new bug,
> the firewall
> > configuration with SP2 has a catastrophic effect. The SP2
> installation
> > simply uses the previous configuration of the firewall: If
> it was active
> > for the dial-up connection, now it also has been activated
> for the network
> > adapter.
Are they talking about the enabling of the firewall? If so, they're wrong.
Are they talking about the enabling of FPS system-wide? If so, they're
wrong. Are they saying that *if* a luser, er, user were to do something like
go and enable FPS on a dial-up connection but not on a LAN connection, that
installing SP2 would then enable FPS on the network connection, as well? If
so, I have no idea if it's true as I'd not do something like that. However,
I see nothing on my system to indicate that this is true.
> >
> > At the same time, an exception is determined for file and
> printer sharing:
> > For the internal network card - and astonishingly also for
> all adapters.
Not on my machine. At all.
> >
> > With the first use of the dial-up connection after
> installing SP2, all of
> > your shared data are available on the Internet.
Okay, this is just a stupid statement.
> Now, other
> users can start
> > guessing your passwords for administrator and guest and you
> basically are
> > no more secure than the first Windows 95 users with an Internet
> > connection - thanks to Service Pack 2.
See above.
> >
> > How to correct the problem
> >
> > It is not advisable to keep this defective default
> configuration. However,
> > the previous environment cannot be restored: The
> configuration for the
> > firewall was changed, which does not allow the setting of active or
> > inactive conditions or exceptions for each network adapter
> anymore. Now
> > this only works for network areas.
BZZZZZZT! Wrong again, kiddies. They need to investigate the Advanced tab in
the Windows firewall better. I just allowed 3389 on one and only one of my
connectoids. In *fact*, on that Advanced tab, the very first chunk of text
reads:
"Windows firewall is enabled for the selected connections below. To add
exceptions for an individual connection, select it, and then click
Settings."
You can even <gasp!> *pre*-set exceptions for connections on which the
firewall is not currently enabled! Neat-OH!
> >
> > Choose "Windows Firewall" in the in the Windows Control
> Panel and the
> > there the tab "Exceptions". Select "File and Print
> Services" and click on
> > "Edit". Now you can see four ports which are used by the
> file and print
> > sharing service.
> >
> > To lock the service to the outside and keep it open for the
> internal LAN,
> > you have to individually select and change its area with
> the respective
> > button.
And the point is?
> >Our reader Yves Jerschov notified us of another
> > bug: The value for
> > the area set by default "Only for own network (Subnet)"
> only works, if the
> > Internet Connection Sharing is activated.
My apparently magic computer disagrees with Yves. I do not have ICS on any
of my connections. I do, however, have "Only for own network (subnet)"
available for each exception. I click the little radio button and SHAZAM! It
works.
This is ridiculously easy to test. (even when it involves hobbling on
crutches from one room to another- only for you, T., do I do these things.
;-) )
1. Make sure that the XPSP2 box has Remote Desktop enabled.
2. In the Windows Firewall exceptions, ensure that your connection (I
recommend having only one active connection during this testing for obvious
reasons) allows Remote Desktop (TCP 3389) from "the world".
3. Go to a machine on another subnet and remote in to the XP box. Verify
success.
4. Okay, now the fun part. Since you're already remoted into the XP box,
change the firewall setting to (subnet) for TCP 3389.
5. Disconnect your session.
6. Attempt to reconnect. Oh, my goodness, it doesn't work anymore. Must be
that there firewall thingie that don't werk unless you use ICS on one of
your connections. Puhleeze.
> > If this is not
> the case, your
> > shared data are visible worldwide.
Aside from the fact that their premise is incorrect, this is not quite the
case even if it *were* correct.
> > This error can be
> corrected by choosing
> > "User defined List" and entering the IP addresses that are
> supposed to
> > have access - the IP addresses of your LAN. A whole range
> of an IP area
> > can be entered as "192.168.x.0/255.255.255.0", if the
> respective addresses
> > start with 192.168.x.
See above.
> >
> > After these measures, you can be sure to be as safe as you
> were with SP1.
> > Great, don't you think?
I think I'd really like to know what these guys consider a testing
methodology.
I call bullpucky.
Laura
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]