MS08-001

Part 3 of our MS08-001 blog post series
<http://blogs.technet.com/swi/archive/2008/01/08/ms08-001-part-3-the-case-of-the-igmp-network-critical.aspx> mentioned that Windows Server 2003 does
not expose an attack vector to the vulnerable IGMP code execution
vulnerability by default. Windows XP and Vista enable UPnP (Universal
Plug-and-Play) which exposes an attack vector to the vulnerable code but
Windows Server 2003 does not enable UPnP. As a result, the WS03 machine
will ignore IGMP messages received from the network.

We have received a few questions about Windows Server 2003's exposure to the
IGMP vulnerability.

Question 1: By default, Win2k3 server joins to multicast group 224.0.0.1.
Does it mean that Win2K3 is vulnerable by default? And the rating in MSRC
bulletin is wrong?

Answer: The bulletin rating is correct. Win2k3 server is not vulnerable to
IGMP issue when it only joins to 224.0.0.1.

Observe the netsh command output on a default configuration of Win2K3
server:

>netsh int ip show joins

Interface Addr Multicast Group

--------------- ---------------

10.1.1.1 224.0.0.1

224.0.0.1 is all hosts on the subnet. The reason that win2k3 server is not
vulnerable despite being joined to 224.0.0.1 is because Windows ignores
IGMP queries to that address. Here's the actual code:

} else {
// If all-hosts address, ignore it
if (IP_ADDR_EQUAL(IQH->igh_addr, ALL_HOST_MCAST)) {
DEBUGMSG(DBG_WARN && DBG_IGMP,
(DTEXT("Dropping IGMPv3 query for the All-Hosts
group/n")));
return;
}

Question 2: How can I tell whether my Windows Server 2003 machine is
vulnerable?

Answer: If the server joins to any multicast group other than 224.0.0.1,
then it is vulnerable to IGMP attack.

Using the following netsh command will show the multicast groups to which
the machine is joined.

netsh int ip show joins

For example, if the WINS component is enabled in Win2k3 server, the output
of the netsh command above would be:

Interface Addr Multicast Group

--------------- ---------------

10.1.1.1 224.0.0.1
10.1.1.1 224.0.1.24

224.0.1.24 is IP multicast group for WINS. The configuration above (if
unpatched) is vulnerable to the IGMP attack.

Question 3: Even if a server is not joined to a multicast group other than
224.0.0.1, could it still be affected if an attacker sent a *unicast* IGMP
packet?

Answer: No. Though the host would receive the unicast IGMP packet, valid
multicast address needs to be contained in IGMP query payload so the packet
would be ignored.

Published Thursday, January 10, 2008 5:00 PM by migrady
<http://blogs.technet.com/user/Profile.aspx?UserID=26018>

Filed under: IGMP
<http://blogs.technet.com/swi/archive/tags/IGMP/default.aspx> , attack
<http://blogs.technet.com/swi/archive/tags/attack+vector/default.aspx>
vector, UPnP <http://blogs.technet.com/swi/archive/tags/UPnP/default.aspx> ,
multicast
<http://blogs.technet.com/swi/archive/tags/multicast+group/default.aspx>
group, netsh <http://blogs.technet.com/swi/archive/tags/netsh/default.aspx>