[prev in list] [next in list] [prev in thread] [next in thread] 

List:       incidents
Subject:    Re: Yahoo Messenger Stale Sessions
From:       BANIER Jeremie <jeremie.banier () swift ! com>
Date:       2002-11-14 13:49:51
[Download RAW message or body]

Hello,
I believe switching on keep-alive would perhaps sove that one ...

<knip>
Windows 2000 TCP keep-alive behavior can be modified by changing the values of the \
KeepAliveTime and KeepAliveInterval registry entries \
(HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters). TCP keep-alives can be \
sent once for every interval specified by the value of KeepAliveTime (defaults to \
7,200,000 milliseconds, or two hours) if no other data or higher level keep-alives \
have been
carried over the TCP connection. If there is no response to a keep-alive, it is \
repeated once every interval specified by the value of KeepAliveInterval in seconds. \
By default, the KeepAliveInterval entry is set to a value of one second. </knip>

Hope it helps, if not rebooot ;-)
Jeremie

Tat Wee Kan wrote:

> ----- Original Message -----
> From: <Leonard.Ong@nokia.com>
> To: <security-basics@securityfocus.com>; <incidents@securityfocus.com>;
> <bugtraq@securityfocus.com>
> Sent: Monday, November 11, 2002 11:04 AM
> Subject: Yahoo Messenger Stale Sessions
> 
> > During my observation in daily use of Yahoo Messenger, my computer has
> "stale/zombie" sessions.  For example, If i have received/message a friend,
> yahoo will normally make a direct connection from my PC to my friend.  From
> Netstat result, you can see a high port on my computer is having an
> Established session with my peer's:5101 port.
> > 
> > The issue is, after a contact has gone offline (dial-up), the state
> established in the netstat will remain until the next day.  I wouls see this
> as a vulnerabilities, since an arbitrary user can assume the IP Address was
> used (dial-up->dynamic ip assignment), and use this established session to
> assume it.
> > 
> > Any idea ?
> 
> Hmm, I'm not an expert in this, but I do realize if the 4-way handshake for
> terminating a connection is not done properly, e.g. the user switched off
> his dial-up modem abruptly, it would cause the "stale/zombie" sessions
> described as above. The dial-up machine will not have the opportunity to
> send the FIN to your machine.
> 
> You probably need to know the sequence number, source port, destination port
> as well as source IP and destination IP (which you should know).

--
"Ok, so the servers are down, the lights are out, and all I have to work
with is a roll of duct tape, a ball point pen, a lighter, and a twenty year
old copy of emacs.  Where's the problem? "


["jeremie.banier.vcf;" (text/x-vcard)]

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

[prev in list] [next in list] [prev in thread] [next in thread]