[Am-info] Microsoft Windows TCP Packet Information Disclosure
Fred A. Miller
fmiller@lightlink.com
Mon, 22 Sep 2003 14:01:18 -0400
Microsoft Windows TCP Packet Information Disclosure
CRITICAL:
Not critical
IMPACT:
Exposure of sensitive information
WHERE:
=46rom remote
OPERATING SYSTEM:
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional
DESCRIPTION:
A vulnerability has been identified in the handling of TCP packets in
Microsoft Windows 2000 and Windows XP, which potentially can expose
sensitive information.
The problem is that Windows under some circumstances doesn't clear
the "URG" flag of TCP packets. When this happens Windows will not set
the correct value for the 16 bit "URG" pointer value but may instead
include random data from other data transfers.
This behaviour has been reported to affect Windows 2000 and XP with
all the latest patches and updates. There is no report that this
behaviour can be exploited unless data transfers are occuring at the
same time.
This issue has been rated as "Not critical" since only a small amount
of data may be revealed and because the issue can't be triggered by
malicious people.
SOLUTION:
There's no effective solution available.
Make sure that sensitive traffic is encrypted when transmitted.
REPORTED BY / CREDITS:
Michal Zalewski
OTHER REFERENCES:
Description of TCP header:
http://www.wickiup.com/wickiup/net/#tcp
=2D-=20
"...Linux, MS-DOS, and Windows XP (also known as the Good, the Bad, and
the Ugly)."