This morning we released MS08-036 to fix two denial-of-service vulnerabilities in the Windows implementation of the Pragmatic General Multicast (PGM) protocol (RFC 3208).  You probably have never heard of PGM.  Only one engineer on our team had ever heard of it and he previously worked as a tester on the core network components team.  PGM is a multicast transport protocol that guarantees reliable delivery from multiple sources to multiple receivers. It is a layer 4 transport protocol, peer to TCP and UDP.  You can send/receive data with PGM by creating a socket with SOCK_RDM type and IPPROTO_RM protocol.  For example:

s = socket(AF_INET, SOCK_RDM, IPPROTO_RM);

For more information on how to program with PGM, check out the MSDN reference.

The PGM protocol is available on all versions of Windows since XP.  However it is disabled by default on all versions.  We expect that most networks out there will not have a great deal of PGM traffic on it.  Therefore, if you can detect PGM protocol usage on your network and discover a sudden flood of PGM traffic, it’s likely your network is being attacked.  You can detect PGM on the wire by checking the “Protocol” field in the IP header.  PGM’s protocol ID is 113 (0x71).  Both Netmon 3.1 and Wireshark contain PGM parsers.  Here is an example PGM packet capture in Netmon:

P.S. If we’re wrong about the extent of PGM use and there are common applications that use it, please let us know and we’ll revise this blog entry.

- Security Vulnerability Research & Defense Bloggers

*Postings are provided "AS IS" with no warranties, and confers no rights.*