Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: MS06-032: Source routing buffer overflow SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
MS06-032: Source routing buffer overflow
MS06-032 - KB 917953

While Microsoft rates this as important only, we at the Internet Storm Center feel that it is very critical. It is easy to exploit this. One (spoofed) packet could allow an attacker to "own" a vulnerable system. The TCP/IP stack is vulnerable to a buffer overflow in the handling of source routed packets.

While some firewalls might protect from this, consider systems that are used on the road such as in airport, hotels, ... so they must be protected now.

Workarounds:
  • Block packets with source routing options in the firewall. According to Microsoft "IP source route options 131 and 137" are the dangerous ones, but why would you allow source routing through your firewall anyway?
  • Personal firewall might help as well
  • Disable source routing in windows by setting a registry key (see the Microsoft bulletin for details) [highly recommended action, even if you patched already]
This vulnerability is covered in CVE-2005-2379.

--
Swa Frantzen -- section 66


Swa

760 Posts
Jun 13th 2006

Sign Up for Free or Log In to start participating in the conversation!