Home page logo

nmap-dev logo Nmap Development mailing list archives

FW: MS05-019 & Win2k
From: "Feliciano, Marcial" <mfeliciano () wnfnet com>
Date: Tue, 26 Apr 2005 00:32:05 -0400

FYI Re: MS05-019 and Windows Raw Sockets:

More on MS05-019

It breaks a lot more than just raw sockets on current Win32 platforms.
It wreaks havoc on pre XP systems as well in other areas.

Win2k machines are not affected by MS05-019 raw sockets issue but this
early patch release breaks so much more on Win2k that it causes its own
denial of service!

Our enterprise loaded with Win2k SP4 (fully patched) servers experienced
a multitude of issues over the last few days that almost had me pulling
my hair out until I eventually narrowed down the problem and helped
Microsoft resolve the issues leading to the release of the "updated
patch" today (4/25/05).

MS05-019 modifies the IP stack and replaces tcpip.sys with a modified
version that changes the values of the MaxICMP route and MTU settings.
It virtually crippled all of our servers on WAN sites that were going
across routers and firewalls due to packet MTU size issues and discards.

All of our WAN servers would run fine for a day after reboot and shortly
thereafter would begin to fail with AD replication, RPC communication,
Terminal services, IIS/WebDav, etc. Basically all of the upper layer
services. ICMP (ping echo-replies) would always work but all of the
upper services would not respond. We first noticed it with our heavy
Citrix/Printing as spool jobs would fail. 

This primarily affects servers in routed environments or any environment
where packet size MTU and DF bit settings may be set. Small environments
where all servers are in one physical/logical site will not experience
this issue.

MS05-019 modifies:

C:\WINNT\system32\drivers\tcpip.sys <- main replaced/affected file with
a Feb 2005 version from former June 2003 version.

Just thought I'd share as maybe this information can be useful to many
of your readers who may be suffering or will soon be suffering from
weird Windows issues.

It took me 3 days to prove it to Microsoft even after I could replicate
the issue and finally they admitted to me that their developers started
working on a fix for this issue as a post MS05-019/KB893066 update which
was released today. The MS05-019 patch was released as a "rush" patch to
address other issues that were going on in the field.

I have not tried the updated fix yet so I can not speak to the raw
sockets issue on XP machines. This would be a good test to see if it
addresses that as well.

More interesting reading info released late on Monday April 25th:

The official Microsoft Bulletin released today:


And another good related link:


Marcial Feliciano
Sr. Systems/Security Engineer
Wilmington Finance (AIG subsidiary)

-----Original Message-----
From: nmap-hackers-bounces () insecure org
[mailto:nmap-hackers-bounces () insecure org] On Behalf Of Fyodor
Sent: Monday, April 25, 2005 6:32 PM
To: nmap-hackers () insecure org
Subject: Raw sockets, MS05-019 and Windows Firewall -- Summary

In my Saturday raw sockets rant, I included a message from Robin Keir
describing how MS05-019 breaks raw sockets even for pre-SP2 WinXP
machines.  He has now done more research and sent me the following mail
summarizing how windows platforms (Win2K, WinXP, Win2003) interact with
service patches, hotfixes, and the sharedaccess service to restrict (or
not) raw sockets.  For the executive summary, read just the final line
of his email.

From: Robin Keir <robin () keir net>
Date: Mon, 25 Apr 2005 14:33:01 -0700
Subject: Raw sockets, MS05-019 and Windows Firewall -- Summary

With the advent of XP SP2 and the recent MS05-019 patch, using raw 
sockets for scanning from a Windows platform has proven to be very 
problematic. I thought I would summarize the situation.

Based upon the presence of MS05-019 and the state of the Windows 
Firewall service(s) we have to decide whether we need to stop or start 
the firewall service(s). Even then there may still be issues. The logic 
is as follows:

Windows 2000 is unaffected. It fully supports all raw socket actions and

 since it doesn't have the Windows Firewall/ICF we don't have any of 
those associated issues.

XP SP0 should have the firewall stopped ("net stop sharedaccess"). Even 
though TCP raw sockets are unaffected by the firewall the ALG service, 
which is intimately tied to the firewall service on XP, prevents 
discovery of several ports such as 21, 389, 1002 and 1720 when using TCP

raw sockets. Stopping the sharedaccess service thus automatically stops 
the ALG service and we're good to go.

XP SP1 *without* MS05-019 functions the same as XP SP0.

XP SP1 *with* MS05-019 needs to have the sharedaccess firewall service 
*running* (see http://support.microsoft.com/kb/897656) otherwise TCP raw

sockets are blocked. Because the sharedaccess service needs to be 
running to enable sending of TCP packets using raw sockets we have the 
problem with the ALG service blocking sending to certain ports, but it's

better than nothing.

XP SP2 *without* MS05-019 functions the same as XP SP1 without the patch

apart from a driver-level restriction on the number of 
in-the-process-of-connecting TCP connections. This can affect regular 
socket style scanning. The only known workaround to the driver issue is 
a TCPIP.SYS hack.

XP SP2 *with* MS05-019 is unusable for raw-socket TCP scanning. It 
totally blocks TCP raw sockets with or without the firewall enabled.

Windows Server 2003 acts like XP SP0. The ALG service, which is now no 
longer tied to the sharedaccess (Windows Firewall) service, should be 
stopped ("net stop alg").

What a mess :-)


Sent through the nmap-hackers mailing list

Sent through the nmap-dev mailing list

  By Date           By Thread  

Current thread:
  • FW: MS05-019 & Win2k Feliciano, Marcial (Apr 26)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]