Home page logo

basics logo Security Basics mailing list archives

Re: Yahoo Messenger Stale Sessions
From: BANIER Jeremie <jeremie.banier () swift com>
Date: Thu, 14 Nov 2002 14:49:51 +0100

I believe switching on keep-alive would perhaps sove that one ...

Windows 2000 TCP keep-alive behavior can be modified by changing the values of the KeepAliveTime and KeepAliveInterval 
entries (HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters). TCP keep-alives can be sent once for every interval 
specified by
the value of KeepAliveTime (defaults to 7,200,000 milliseconds, or two hours) if no other data or higher level 
keep-alives have
carried over the TCP connection. If there is no response to a keep-alive, it is repeated once every interval specified 
by the value
of KeepAliveInterval in seconds. By default, the KeepAliveInterval entry is set to a value of one second.

Hope it helps, if not rebooot ;-)

Tat Wee Kan wrote:

----- Original Message -----
From: <Leonard.Ong () nokia com>
To: <security-basics () securityfocus com>; <incidents () securityfocus com>;
<bugtraq () securityfocus com>
Sent: Monday, November 11, 2002 11:04 AM
Subject: Yahoo Messenger Stale Sessions

During my observation in daily use of Yahoo Messenger, my computer has
"stale/zombie" sessions.  For example, If i have received/message a friend,
yahoo will normally make a direct connection from my PC to my friend.  From
Netstat result, you can see a high port on my computer is having an
Established session with my peer's:5101 port.

The issue is, after a contact has gone offline (dial-up), the state
established in the netstat will remain until the next day.  I wouls see this
as a vulnerabilities, since an arbitrary user can assume the IP Address was
used (dial-up->dynamic ip assignment), and use this established session to
assume it.

Any idea ?

Hmm, I'm not an expert in this, but I do realize if the 4-way handshake for
terminating a connection is not done properly, e.g. the user switched off
his dial-up modem abruptly, it would cause the "stale/zombie" sessions
described as above. The dial-up machine will not have the opportunity to
send the FIN to your machine.

You probably need to know the sequence number, source port, destination port
as well as source IP and destination IP (which you should know).

"Ok, so the servers are down, the lights are out, and all I have to work
with is a roll of duct tape, a ball point pen, a lighter, and a twenty year
old copy of emacs.  Where's the problem? "

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]