Raw is a protocol type in the socket api allowing the application to send and receive arbitrary packets (e.g. not packets generated by the system's TCP implementation).
This means the listening socket was created using SOCK_RAW as opposed to SOCK_STREAM or SOCK_DGRAM. Raw sockets are used for working with ICMP, doing packet sniffing, sending some types of custom TCP packets, etc. Basically anything that isn't UDP or TCP, you'll need a raw socket for.
Historically programs like `ping` and `traceroute` use raw sockets. Using raw sockets requires privilege, which is why those historically have been set-uid on Unix systems.
So is this a vulnerability in specific raw sockets applications (i.e., you could get it right in the application), or a vulnerability in the Windows kernel's TCP/IP stack that is only exploitable when there is a raw sockets application running?
I know there's some limits to the surface of this... but it seems that could precisely be triggered by certain types of security software, ironically designed to protect such systems. Eww...
It's far easier to find 0-days in antivirus software than in common-used operating systems or servers (IIS, Nginx, ...). The attack surface is huge, the software often very old and written in a memory-unsafe language like C and C++ for performance-reasons.
I reverse engineered some antivirus products myself and the quality of most AVs is pretty bad. AFL (American Fuzzy Lop) without a custom mutator crashed some of them in less than 15 minutes at the most trivial parts like parsing a PE-file.
Also snakeoil-features like "anti-rootkit scanner" just compare hashes (sometimes MD5-hashes) of installed drivers. In past a rootkit could circumvent such scanner with IAT-hooking. In 2023 those scanners are obsolete anyway.
Also antivirus 0-days are far cheaper than for other software.*
I can't think of any... Which in turn means that most systems probably aren't vulnerable. On windows I think you need admin rights to open a raw socket, which means that only admins can pwn the machine...
13 comments
[ 3.1 ms ] story [ 41.4 ms ] threadWhat is a "raw socket" in this context?
A raw socket allows creation/consumption of bespoke packet types (i.e. not Tcp/Udp). In this case ICMP.
And here they explain that if you use SOCK_RAW, you should look out for bad datagrams:
https://learn.microsoft.com/en-us/windows/win32/winsock/tcp-...
I reverse engineered some antivirus products myself and the quality of most AVs is pretty bad. AFL (American Fuzzy Lop) without a custom mutator crashed some of them in less than 15 minutes at the most trivial parts like parsing a PE-file.
Also snakeoil-features like "anti-rootkit scanner" just compare hashes (sometimes MD5-hashes) of installed drivers. In past a rootkit could circumvent such scanner with IAT-hooking. In 2023 those scanners are obsolete anyway.
Also antivirus 0-days are far cheaper than for other software.*
* https://zerodium.com/program.html
I can't think of any... Which in turn means that most systems probably aren't vulnerable. On windows I think you need admin rights to open a raw socket, which means that only admins can pwn the machine...