【转】Raw Sockets Gone in XP SP2

http://www.interact-sw.co.uk/iangblog/2004/08/12/norawsockets 

Well, not strictly gone, but their power has been reduced in certain respects.

While it might make Steve Gibson happy, I'm not utterly delighted by this particular change service pack 2 brings to Windows XP.

Security expert and fellow DevelopMentor instructor Dominick Baier drew my attention to the fact that Windows XP service pack 2 (which I just installed) reduces the power of raw sockets. This has had no direct impact on me, since nothing I did uses raw sockets. But there are a couple of groups of users that this will affect.

The good news (and the justification for the removal of the feature) is that this change will prevent certain network attack tools used by crackers from running on Windows XP. These tools are easier to write if you have a full raw socket facility. But it won't impede them much of course - presumably they'll just go and use some other operating system. The limitations on the raw socket facility in Windows XP don't make XP any more or less vulnerable, they just make it slightly less suitable as a platform for launching certain kind of attacks. But that really won't stop a determined hacker - it's not like it's that hard to find an OS that supports full raw sockets. Linux supports them for example. (So if Steve Gibson was right in his original rather sensationalist article, Linux will now supplant Windows XP as the "denial of service tool of choice for internet hackers everywhere" as he put it... Not that Windows XP ever fulfilled his prophecy of doom, as far as I know.)

In fact there's no reason a cracker couldn't add the functionality back into Windows if they're prepared to write a suitable device driver. I don't think there's anything stopping you writing a kernel mode device driver that plugs into the NDIS stack and communicates directly with the network card device driver. That would let you send any ethernet packet you like, which would give you at least as much power as the original unencumbered raw sockets API. (In practice they'll probably just use an OS such as Linux which still supports the feature.)

The other group this affects is security professionals - the restriction of the raw sockets API prevents certain penetration test tools from running. For example, Dominick pointed out that certain features of nmap won't work on Windows XP once you've installed service pack 2. This means you can no longer use Windows XP to discover whether a particular system on your network is vulnerable to certain kinds of attacks.

The justification for limiting raw sockets is that they provide a tool for the attackers. That sounds reasonable enough until you realise that raw sockets are also a tool for the defenders. Now that I've installed service pack 2 I'm deprived of ability to use this tool to defend myself, unless I have some other systems around that still support raw sockets. Meanwhile I can be absolutely sure that those who would attack my networks *do* have systems that support raw sockets.

So this change appears to have made Windows XP less useful for detecting security flaws without putting up any significant new barrier to determined attackers. Doesn't that make me less secure, on balance?

(Of course this is just a minor niggle - on the whole, I think the security improvements of XP SP2 are a Very Good Thing!)