Re: Insecurities in Non-exclusive Scoket Binding

On Sun, 10 Mar 2003, Firosh Ummer wrote:

> I've written a paper on the risks in non-exclusive socket binding, and how

This is a fairly old, well understood issue on most unix platforms. That is why you will find nearly any modern unix does not allow more specific port binding unless it is done by the same user as the wildcard bind, or by root.

None of this prevents exploitation by simply finding some way to kill the service listening on the port, or by exploiting a race condition at startup or restart. This is one of the reasons why the concept of privileged ports was, and still is, extremely important on systems with untrusted users.

As for windows... I really couldn't see anyone recommending you run any services like that on a windows box where untrusted users have access. There are simply so many other ways to escalate privileges.

I'm not sure the windows specific SO_EXCLUSIVEADDRUSE option is practical due to mindboggling limitations. Apparently it prevents rebinding if there are _any_ sockets open to that port, even if they are in FIN_WAIT, FIN_WAIT_2, or LAST_ACK. To be able to unbind and then rebind the port when restarting, etc. the application must jump through unreasonable hoops to be able to reliably use SO_EXCLUSIVEADDRUSE. See
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winsock/winsock/using_so_exclusiveaddruse.asp for details, starting with "an important caveat ..." Received on Mon Mar 10 14:37:34 2003