Andreas H. · @kosi2801
43 followers · 274 posts · Server graz.socialServicetröt: Bitte einmal ganz fix alle eure #Windows Installationen updaten.
In meiner HTL Zeit hatten wir viel Spaß mit #PingOfDeath, diesmal gibt es auch viel Freude. Halt wieder nicht für die Opfer...
#windows #pingofdeath #cve202323415 #rce
Kris Hardy 🧐 · @nonlinear
53 followers · 262 posts · Server mastodon.nzRe #cve202323415 , does anyone know if there's an easy way to identify the use of raw sockets on a Windows system? It might be possible to tease them out by finding listening ports using a port sweep and then comparing that with the list of listening ports from netstat. If they don't show up, then it's a raw socket. @GossiTheDog Thoughts?
Kris Hardy 🧐 · @nonlinear
53 followers · 260 posts · Server mastodon.nzThinking about #cve202323415 How often is it really that server applications are actually bound to #RawSockets? I wouldn't think it was often except in rare cases where packet fu is being conducted. (Packet capture, custom tcp/IP stacks for network tools, pen test tools, etc.)
Fritz Adalis · @FritzAdalis
103 followers · 2454 posts · Server infosec.exchange@GossiTheDog
Will netstat or any other command show if a process is specifically listening on a raw socket?
Kevin Beaumont · @GossiTheDog
25064 followers · 882 posts · Server cyberplace.socialI wrote about CVE-2023-23415, looking at the vuln + mitigations + threat intel. #CVE202323415
Joe Słowik · @jfslowik
2807 followers · 1783 posts · Server infosec.exchange
Kevin Beaumont · @GossiTheDog
25039 followers · 856 posts · Server cyberplace.socialRegarding #CVE202323415, I will be the vuln hype train deflater: I would wait for more technical info to emerge before pressing the panic button.
To me, it looks like it needs a third party app listening on raw sockets to be exploitable. That isn't true out of the box... and TCP raw sockets was disabled 19 years ago in Windows XP.
I suspect recreating exploitability may need something like Winpcap driver installed + app listening on top with raw sockets, which is in the <1% club of scenarios.
Kevin Beaumont · @GossiTheDog
25029 followers · 842 posts · Server cyberplace.socialSo @hexnomad found a pretty fun Windows vulnerability - CVE-2023-23415
Trigger remote code execution with fragmented IP packets wrapped in ICMP packets.
There may be some caveats on this one before the panic sets in, as you need an app listening on a raw socket and such. So no logos yet.