US-CERT - Microsoft IP Source Route Vulnerability (VU#722753)
From US-CERT:
I. Description
Source routing is a technique to determine the network route for a packet based on information supplied by the sender in the IP packet. The TCP/IP driver in some versions of Microsoft Windows contains a buffer overflow in the handling of packets with source routing information. The driver fails to validate the length of a message before it is passed to an allocated buffer. Microsoft states that IP packets containing IP source route options 131 and 137 could be used to initiate a connection with the affected components.
II. Impact
A remote attacker with the ability to supply a specially crafted packet may be able to execute arbitrary code on an affected system. The attacker-supplied code would be executed with kernel privileges.
Umm…
When is the last time there was an overhaul of the IP protocol? How long has this bug been in the code? Is someone smoking CRACK!?
Remember, the network protocol stack runs with kernel rights.
Own the kernel, you own the box at a level where antivirus and other HIDS systems are useless.
In my previous post I gave a few recommendations on how to improve code security.
Here’s another:
- Implement a “critical code” team responsible for the parts of the system that must meet extraordinary security requirements
Organizations should provide full training and resources for this group. Attempt to achieve CMMI level 4 or 5 for software development. This group should have the ability to halt a release if a critical flaw is suspected.
I pay you.
Bill