MS08-001 - The case of the missing Windows Server 2003 attack vector
2008-01-18 09:27
411 查看
Part 3 of our MS08-001 blog post series
<http://blogs.technet.com/swi/archive/2008/01/08/ms08-001-part-3-the-c...
-the-igmp-network-critical.aspx> mentioned that Windows Server 2003 does
not expose an attack vector to the vulnerable IGMP code execution
vulnerability by default. Windows XP and Vista enable UPnP (Universal
Plug-and-Play) which exposes an attack vector to the vulnerable code but
Windows Server 2003 does not enable UPnP. As a result, the WS03 machine
will ignore IGMP messages received from the network.
We have received a few questions about Windows Server 2003's exposure to the
IGMP vulnerability.
Question 1: By default, Win2k3 server joins to multicast group 224.0.0.1
<http://224.0.0.1/> . Does it mean that Win2K3 is vulnerable by default? And
the rating in MSRC bulletin is wrong?
Answer: The bulletin rating is correct. Win2k3 server is not vulnerable to
IGMP issue when it only joins to 224.0.0.1 <http://224.0.0.1/> .
Observe the netsh command output on a default configuration of Win2K3
server:
>netsh int ip show joins
Interface Addr Multicast Group
--------------- ---------------
10.1.1.1 224.0.0.1 <http://224.0.0.1/>
224.0.0.1 <http://224.0.0.1/> is all hosts on the subnet. The reason that
win2k3 server is not vulnerable despite being joined to 224.0.0.1
<http://224.0.0.1/> is because Windows ignores IGMP queries to that
address. Here's the actual code:
} else {
// If all-hosts address, ignore it
if (IP_ADDR_EQUAL(IQH->igh_addr, ALL_HOST_MCAST)) {
DEBUGMSG(DBG_WARN && DBG_IGMP,
(DTEXT("Dropping IGMPv3 query for the All-Hosts
group/n")));
return;
}
Question 2: How can I tell whether my Windows Server 2003 machine is
vulnerable?
Answer: If the server joins to any multicast group other than 224.0.0.1
<http://224.0.0.1/> , then it is vulnerable to IGMP attack.
Using the following netsh command will show the multicast groups to which
the machine is joined.
netsh int ip show joins
For example, if the WINS component is enabled in Win2k3 server, the output
of the netsh command above would be:
Interface Addr Multicast Group
--------------- ---------------
10.1.1.1 224.0.0.1 <http://224.0.0.1/>
10.1.1.1 <http://10.1.1.1/> 224.0.1.24 <http://224.0.1.24/>
224.0.1.24 <http://224.0.1.24/> is IP multicast group for WINS. The
configuration above (if unpatched) is vulnerable to the IGMP attack.
Question 3: Even if a server is not joined to a multicast group other than
224.0.0.1 <http://224.0.0.1/> , could it still be affected if an attacker
sent a *unicast* IGMP packet?
Answer: No. Though the host would receive the unicast IGMP packet, valid
multicast address needs to be contained in IGMP query payload so the packet
would be ignored.
Published Thursday, January 10, 2008 5:00 PM by migrady
<http://blogs.technet.com/user/Profile.aspx?UserID=26018>
Filed under: IGMP
<http://blogs.technet.com/swi/archive/tags/IGMP/default.aspx> , attack
vector
<http://blogs.technet.com/swi/archive/tags/attack+vector/default.aspx> ,
UPnP <http://blogs.technet.com/swi/archive/tags/UPnP/default.aspx> ,
multicast group
<http://blogs.technet.com/swi/archive/tags/multicast+group/default.aspx> ,
netsh <http://blogs.technet.com/swi/archive/tags/netsh/default.aspx>
[Ph4nt0m] <http://www.ph4nt0m.org/>
[Ph4nt0m Security Team]
<http://blog.ph4nt0m.org/> 刺@ph4nt0m
Email: a...@ph4nt0m.org
PingMe:
<http://cn.pingme.messenger.yahoo.com/webchat/ajax_webchat.php?yid=han...
hq&sig=9ae1bbb1ae99009d8859e88e899ab2d1c2a17724>
=== V3ry G00d, V3ry Str0ng ===
=== Ultim4te H4cking ===
=== XPLOITZ ! ===
=== #_# ===
#If you brave,there is nothing you cannot achieve.#
<http://blogs.technet.com/swi/archive/2008/01/08/ms08-001-part-3-the-c...
-the-igmp-network-critical.aspx> mentioned that Windows Server 2003 does
not expose an attack vector to the vulnerable IGMP code execution
vulnerability by default. Windows XP and Vista enable UPnP (Universal
Plug-and-Play) which exposes an attack vector to the vulnerable code but
Windows Server 2003 does not enable UPnP. As a result, the WS03 machine
will ignore IGMP messages received from the network.
We have received a few questions about Windows Server 2003's exposure to the
IGMP vulnerability.
Question 1: By default, Win2k3 server joins to multicast group 224.0.0.1
<http://224.0.0.1/> . Does it mean that Win2K3 is vulnerable by default? And
the rating in MSRC bulletin is wrong?
Answer: The bulletin rating is correct. Win2k3 server is not vulnerable to
IGMP issue when it only joins to 224.0.0.1 <http://224.0.0.1/> .
Observe the netsh command output on a default configuration of Win2K3
server:
>netsh int ip show joins
Interface Addr Multicast Group
--------------- ---------------
10.1.1.1 224.0.0.1 <http://224.0.0.1/>
224.0.0.1 <http://224.0.0.1/> is all hosts on the subnet. The reason that
win2k3 server is not vulnerable despite being joined to 224.0.0.1
<http://224.0.0.1/> is because Windows ignores IGMP queries to that
address. Here's the actual code:
} else {
// If all-hosts address, ignore it
if (IP_ADDR_EQUAL(IQH->igh_addr, ALL_HOST_MCAST)) {
DEBUGMSG(DBG_WARN && DBG_IGMP,
(DTEXT("Dropping IGMPv3 query for the All-Hosts
group/n")));
return;
}
Question 2: How can I tell whether my Windows Server 2003 machine is
vulnerable?
Answer: If the server joins to any multicast group other than 224.0.0.1
<http://224.0.0.1/> , then it is vulnerable to IGMP attack.
Using the following netsh command will show the multicast groups to which
the machine is joined.
netsh int ip show joins
For example, if the WINS component is enabled in Win2k3 server, the output
of the netsh command above would be:
Interface Addr Multicast Group
--------------- ---------------
10.1.1.1 224.0.0.1 <http://224.0.0.1/>
10.1.1.1 <http://10.1.1.1/> 224.0.1.24 <http://224.0.1.24/>
224.0.1.24 <http://224.0.1.24/> is IP multicast group for WINS. The
configuration above (if unpatched) is vulnerable to the IGMP attack.
Question 3: Even if a server is not joined to a multicast group other than
224.0.0.1 <http://224.0.0.1/> , could it still be affected if an attacker
sent a *unicast* IGMP packet?
Answer: No. Though the host would receive the unicast IGMP packet, valid
multicast address needs to be contained in IGMP query payload so the packet
would be ignored.
Published Thursday, January 10, 2008 5:00 PM by migrady
<http://blogs.technet.com/user/Profile.aspx?UserID=26018>
Filed under: IGMP
<http://blogs.technet.com/swi/archive/tags/IGMP/default.aspx> , attack
vector
<http://blogs.technet.com/swi/archive/tags/attack+vector/default.aspx> ,
UPnP <http://blogs.technet.com/swi/archive/tags/UPnP/default.aspx> ,
multicast group
<http://blogs.technet.com/swi/archive/tags/multicast+group/default.aspx> ,
netsh <http://blogs.technet.com/swi/archive/tags/netsh/default.aspx>
[Ph4nt0m] <http://www.ph4nt0m.org/>
[Ph4nt0m Security Team]
<http://blog.ph4nt0m.org/> 刺@ph4nt0m
Email: a...@ph4nt0m.org
PingMe:
<http://cn.pingme.messenger.yahoo.com/webchat/ajax_webchat.php?yid=han...
hq&sig=9ae1bbb1ae99009d8859e88e899ab2d1c2a17724>
=== V3ry G00d, V3ry Str0ng ===
=== Ultim4te H4cking ===
=== XPLOITZ ! ===
=== #_# ===
#If you brave,there is nothing you cannot achieve.#
相关文章推荐
- Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server
- About the edition of Windows Server 2003
- You cannot access the existing File Share resources on a Windows Server 2003 failover cluster
- Q: #6 Is the Feature Builder Preview supported on Windows XP and Windows Server 2003?
- When you start the Distributed Transaction Coordinator service in Windows XP/Server 2003,you receive error -1-73737712(转载)
- Breaking the Windows Server 2003 SP2 Stack
- How to reset the Domain Admin Password under Windows Server 2003
- 摘抄---The Case of the Missing Ordinal
- Development Impacts of Security Changes in Windows Server 2003
- Working with the Windows Server 2003 Volume Shadow Copy Service
- Using the multiple NICs of your File Server running Windows Server 2008 (and 2008 R2)
- How to use the Install from Media feature to promote Windows Server 2003-based domain controllers
- Server-02 To view the connection number of shared folder in windows OS
- The Best Damn Windows Server 2003 Book Period
- Determining the source of Bug Check 0x133 (DPC_WATCHDOG_VIOLATION) errors on Windows Server 2012
- 启动VS2010报错:The Environment variable LocalAppData must be manually configured for Windows XP and Windows Server 2003
- The Best Damn Windows Server 2003 Book Period
- The Windows SDK team is proud to announce that the RTM release of the Microsoft Windows SDK for Windows Server 2008 and .NET Fra
- Slow shutdown of Windows 2003 Server after installing Exchange 2003 Server
- Forgot the Domain Admin Password in Windows Server 2003 AD