-
November 17th, 2003, 09:22 PM
#1
Messenger Vulnerability - Any Recon?
Well the new MS patches have been out for a few weeks now so I'm sure that we will be seeing a new run of worms before long. Has anyone heard about any possible new worms related to the Messenger service vulnerability or the Workstation vulnerability? Things are quiet at my usual haunts so I figured I'd throw out a line here and see what I get.
TIA.
--Th13
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
November 17th, 2003, 09:35 PM
#2
well we had the MSBLASTER after quite sometime abt a month...i ecepected it earlier though....i think it wud take abt a month to show up...just a guess then who knows whos cooking what.
guru@linux:~> who I grep -i blonde I talk; cd ~; wine; talk; touch; unzip; touch; strip; gasp; finger; mount; fsck; more; yes; gasp; umount; make clean; sleep;
-
November 18th, 2003, 03:48 AM
#3
Hi,
Theres some people being attacked while on some sort of messenger service -
http://www.antionline.com/showthread...hreadid=251029
I havent heard of any worms/trojans that uses any instant messaging service, but i heard of some aim exploits - Im trusting that this is all for educational purposes :
http://cert.uni-stuttgart.de/archive.../msg00045.html
This one lets you change a user's e-mail address that AIM uses so the person doesnt know about it (pretty much, you just need him/her to sign on and once he/she uses the bathroom, he/she is screwed) -
http://aimlabs.net/UpEmail.htm
This one lets you warn someone without having them talk to you-
http://aimlabs.net/IconEx.htm
Hope this helps.
-
November 18th, 2003, 11:44 AM
#4
Fat, thanks for the info. I was referring to the Messenger service, not the IM client. Below you will find links to the vulnerabilities which I believe will be leveraged in upcoming worms.
http://www.microsoft.com/technet/tre...n/MS03-049.asp
http://www.microsoft.com/technet/tre...n/MS03-043.asp
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
November 18th, 2003, 03:18 PM
#5
I know BugTraq Mailling List have resealed a Proof of concept for Windows Workstation Service overflow..
http://www.securityfocus.com/archive/1/344212
-
November 18th, 2003, 03:42 PM
#6
Just a piece of info from Securityfocus I'd thought I'd share about MS03-049 vuln:
"...a buffer overflow happens on the specified host if the debug file is
writeable."
"Generally, the "debug" subdirectory in the Windows directory is not
writeable by everyone if the drive is formatted as NTFS, which means that we
cannot append to the log using a null session. The WsImpersonateClient() API
is called before opening the log file, and if the connected client does not
have the privilege to write to the log file, then CreateFile() will fail,
and the vulnerable call to vsprintf() is not performed. So, in this case, we
can exploit FAT32 systems (which do not support ACLs on directories), or
systems where the "%SYSTEMROOT%\debug" directory is writeable by everyone.
However, there are some extended RPC functions implemented in Windows XP
which open the logfile before calling WsImpersonateClient()... "
"So my guess is that if this gets to be a worm, it probably will affect
mostly XP systems and not Windows 2000 systems (given that NTFS is a default
file type for W2k and that by default this is not writeable by a NULL
session). So that reduces the number of potential worm candidates and along
with this needs to use the same ports as Blaster the list of targets grows
smaller (because of the XP firewall), in itself it does not look to have the
same level of potential impact as Blaster."
So even though this may make it to worm form, I don't see it propagating any where near as well as blaster did.
-Maestr0
http://www.securityfocus.com/archive/1/344247
http://www.securityfocus.com/archive/1/344137
\"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier
-
November 18th, 2003, 04:59 PM
#7
exploit codes been out for a couple of weeks, pre-compiled exes are being distributed....worm should be any time now but the answer is no. i havent heard anything yet
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
-
November 18th, 2003, 07:03 PM
#8
Senior Member
well...what more could be said..Hail to Bill Gates..
-
November 19th, 2003, 09:48 AM
#9
Hi guys
I actually work for an anti virus company, and the biggest threat at the moment are viruses that use ADS (Alternate Data Streams). These viruses hide in the ADS and so the viral file may only be 4Kb but the files ADS can be hundreds of Megabytes without you knowing about it.
For an example check out http://www.sophos.com/virusinfo/anal...coreflooc.html , nasty little thing, once some writer gets this functionality into a free spreading worm, such as blaster and nachi were then we are all going to have some serious fun getting rid of it.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|