Results 1 to 9 of 9

Thread: Messenger Vulnerability - Any Recon?

  1. #1
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885

    Messenger Vulnerability - Any Recon?

    Well the new MS patches have been out for a few weeks now so I'm sure that we will be seeing a new run of worms before long. Has anyone heard about any possible new worms related to the Messenger service vulnerability or the Workstation vulnerability? Things are quiet at my usual haunts so I figured I'd throw out a line here and see what I get.

    TIA.


    --Th13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  2. #2
    Senior Member
    Join Date
    May 2003
    Posts
    472
    well we had the MSBLASTER after quite sometime abt a month...i ecepected it earlier though....i think it wud take abt a month to show up...just a guess then who knows whos cooking what.
    guru@linux:~> who I grep -i blonde I talk; cd ~; wine; talk; touch; unzip; touch; strip; gasp; finger; mount; fsck; more; yes; gasp; umount; make clean; sleep;

  3. #3
    Senior Member
    Join Date
    Jun 2002
    Posts
    311
    Hi,
    Theres some people being attacked while on some sort of messenger service -

    http://www.antionline.com/showthread...hreadid=251029

    I havent heard of any worms/trojans that uses any instant messaging service, but i heard of some aim exploits - Im trusting that this is all for educational purposes :

    http://cert.uni-stuttgart.de/archive.../msg00045.html

    This one lets you change a user's e-mail address that AIM uses so the person doesnt know about it (pretty much, you just need him/her to sign on and once he/she uses the bathroom, he/she is screwed) -

    http://aimlabs.net/UpEmail.htm

    This one lets you warn someone without having them talk to you-

    http://aimlabs.net/IconEx.htm

    Hope this helps.

  4. #4
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Fat, thanks for the info. I was referring to the Messenger service, not the IM client. Below you will find links to the vulnerabilities which I believe will be leveraged in upcoming worms.

    http://www.microsoft.com/technet/tre...n/MS03-049.asp
    http://www.microsoft.com/technet/tre...n/MS03-043.asp
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  5. #5
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126
    I know BugTraq Mailling List have resealed a Proof of concept for Windows Workstation Service overflow..

    http://www.securityfocus.com/archive/1/344212
    -Simon \"SDK\"

  6. #6
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    Just a piece of info from Securityfocus I'd thought I'd share about MS03-049 vuln:

    "...a buffer overflow happens on the specified host if the debug file is
    writeable."

    "Generally, the "debug" subdirectory in the Windows directory is not
    writeable by everyone if the drive is formatted as NTFS, which means that we
    cannot append to the log using a null session. The WsImpersonateClient() API
    is called before opening the log file, and if the connected client does not
    have the privilege to write to the log file, then CreateFile() will fail,
    and the vulnerable call to vsprintf() is not performed. So, in this case, we
    can exploit FAT32 systems (which do not support ACLs on directories), or
    systems where the "%SYSTEMROOT%\debug" directory is writeable by everyone.
    However, there are some extended RPC functions implemented in Windows XP
    which open the logfile before calling WsImpersonateClient()... "

    "So my guess is that if this gets to be a worm, it probably will affect
    mostly XP systems and not Windows 2000 systems (given that NTFS is a default
    file type for W2k and that by default this is not writeable by a NULL
    session). So that reduces the number of potential worm candidates and along
    with this needs to use the same ports as Blaster the list of targets grows
    smaller (because of the XP firewall), in itself it does not look to have the
    same level of potential impact as Blaster."



    So even though this may make it to worm form, I don't see it propagating any where near as well as blaster did.

    -Maestr0

    http://www.securityfocus.com/archive/1/344247
    http://www.securityfocus.com/archive/1/344137
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

  7. #7
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    exploit codes been out for a couple of weeks, pre-compiled exes are being distributed....worm should be any time now but the answer is no. i havent heard anything yet
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  8. #8
    Senior Member
    Join Date
    Jun 2003
    Posts
    142
    well...what more could be said..Hail to Bill Gates..

  9. #9
    Hi guys

    I actually work for an anti virus company, and the biggest threat at the moment are viruses that use ADS (Alternate Data Streams). These viruses hide in the ADS and so the viral file may only be 4Kb but the files ADS can be hundreds of Megabytes without you knowing about it.
    For an example check out http://www.sophos.com/virusinfo/anal...coreflooc.html , nasty little thing, once some writer gets this functionality into a free spreading worm, such as blaster and nachi were then we are all going to have some serious fun getting rid of it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •