2.6. Sockets binding and hijacking

2.6.1. SO_EXCLUSIVEADDRUSE socket option
2.6.2. Example of multiple bindings: NetBT driver in Windows NT 4.0 SP6a
2.6.3. Multiple sockets bindings
2.6.4. What happens when SO_EXCLUSIVEADDRUSE is not used?
2.6.5. Windows services and drivers protected against socket hijacking
2.6.6. Global protection against socket hijacking
2.6.7. Diagnosing socket binding problems

As explained earlier, Windows TCP/IP stack does not implement privileged ports. More precisely, any process can bind a socket to any port, even when a socket is already bound to a port. Thus, it becomes possible to hijack a TCP server.

This kind of vulnerability was published for the first time in february 1998, in the security advisory NT port binding security [17].

This advisory showed how, for example, any user could hijack the Windows NT 4 SMB server, binding a TCP server on port TCP 139 using a specific IP address in the bind() call.

Microsoft released knowledge base article 194431 [21], mentionning the problem and stating that it was fixed in Windows NT 4.0 Service Pack 4.

Actually, Microsoft introduced in NT 4.0 Service Pack 4 a new socket option, SO_EXCLUSIVEADDRUSE, that can be used by an application to protect itself from this vulnerability. However: