Vigil@nce - Windows: denial of service via FIN_WAIT_2
February 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can open a TCP session with a Windows system, and wait
for Windows to send a FIN packet, then send a special packet, in
order to consume resources, leading to a denial of service.
Impacted products: Windows 2008, Microsoft Windows 2012, Windows
7, Windows 8, Windows RT, Windows Vista
Severity: 2/4
Creation date: 13/02/2013
Revision date: 13/02/2013
DESCRIPTION OF THE VULNERABILITY
A TCP session can be ended with a packet with the FIN flag set. A
TCP session has several states, such as FIN_WAIT_1 and FIN_WAIT_2
(RFC 793).
When Windows is at the initiative of the TCP session closure, it
sends a FIN packet, and jumps to the state FIN_WAIT_1. Then, the
remote computer acknowledges this closure, and Windows jumps in
the FIN_WAIT_2 state. However, if the acknowledgement packet uses
a TCP window size of zero, Windows does not free data structures
in memory.
An attacker can therefore open a TCP session with a Windows
system, and wait for Windows to send a FIN packet, then send a
special packet, in order to consume resources. When this operation
is repeated, it leads to a denial of service.
Note: the web service of IIS cannot be used as an attack vector.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Windows-denial-of-service-via-FIN-WAIT-2-12417