• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Microsoft Windows IP Source Routing Vulnerability

A vulnerability in the Windows 95/98 and NT TCP/IP stacks allows specially crafted IP packets to perform source routing functions, even when source routing has been specifically disabled (NT SP5 Registry Setting: (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting)

The vulnerability lies within the stack's inability to properly process source routed packets where the offset value is set greater than the specified route length. In this case, the data in the packet will get passed to the application layer of the host for further processing (instead of being dropped by the stack.) Should the attacker spoof the source address and, instead, use a source address of a known host on an internal network (assuming the Windows host is dual-homed), the datagram reply will be sent to the host on the internal network (accessible via the second NIC).

In addition to being susceptible to various tunneling attacks, the vulnerable host may be used to aid an attacker in locating other non-Windows hosts that have source routing enabled and/or perform port scans against other Windows hosts.