2.6. Sockets binding and hijacking

2.6. Sockets binding and hijacking
Prev	Chapter 2. TCP/IP stacks	Next

2.6.1. SO_EXCLUSIVEADDRUSE socket option
2.6.2. Example of multiple bindings: NetBT driver in Windows NT 4.0 SP6a
2.6.3. Multiple sockets bindings
2.6.4. What happens when SO_EXCLUSIVEADDRUSE is not used?
2.6.5. Windows services and drivers protected against socket hijacking
2.6.6. Global protection against socket hijacking
2.6.7. Diagnosing socket binding problems

As explained earlier, Windows TCP/IP stack does not implement privileged ports. More precisely, any process can bind a socket to any port, even when a socket is already bound to a port. Thus, it becomes possible to hijack a TCP server.

This kind of vulnerability was published for the first time in february 1998, in the security advisory NT port binding security [17].

This advisory showed how, for example, any user could hijack the Windows NT 4 SMB server, binding a TCP server on port TCP 139 using a specific IP address in the bind() call.

Microsoft released knowledge base article 194431 [21], mentionning the problem and stating that it was fixed in Windows NT 4.0 Service Pack 4.

Actually, Microsoft introduced in NT 4.0 Service Pack 4 a new socket option, SO_EXCLUSIVEADDRUSE, that can be used by an application to protect itself from this vulnerability. However:

it seems that Microsoft itself did not use this socket option in its servers (particularly, IIS 4 and IIS 5)
this socket option can not be used by drivers, which directly communicate with the TCP/IP driver, without using the Winsock API.

Prev	Up	Next
2.5.2. Identifying processes behind sockets	Home	2.6.1. SO_EXCLUSIVEADDRUSE socket option