MS08-001
来源:互联网 发布:mac制作win10启动盘 编辑:程序博客网 时间:2024/06/14 06:04
Part 3 of our MS08-001 blog post series
<http://blogs.technet.com/swi/archive/2008/01/08/ms08-001-part-3-the-case-of-the-igmp-network-critical.aspx> mentioned that Windows Server 2003 does
not expose an attack vector to the vulnerable IGMP code execution
vulnerability by default. Windows XP and Vista enable UPnP (Universal
Plug-and-Play) which exposes an attack vector to the vulnerable code but
Windows Server 2003 does not enable UPnP. As a result, the WS03 machine
will ignore IGMP messages received from the network.
We have received a few questions about Windows Server 2003's exposure to the
IGMP vulnerability.
Question 1: By default, Win2k3 server joins to multicast group 224.0.0.1.
Does it mean that Win2K3 is vulnerable by default? And the rating in MSRC
bulletin is wrong?
Answer: The bulletin rating is correct. Win2k3 server is not vulnerable to
IGMP issue when it only joins to 224.0.0.1.
Observe the netsh command output on a default configuration of Win2K3
server:
--------------- ---------------
10.1.1.1 224.0.0.1
224.0.0.1 is all hosts on the subnet. The reason that win2k3 server is not
vulnerable despite being joined to 224.0.0.1 is because Windows ignores
IGMP queries to that address. Here's the actual code:
} else {
// If all-hosts address, ignore it
if (IP_ADDR_EQUAL(IQH->igh_addr, ALL_HOST_MCAST)) {
DEBUGMSG(DBG_WARN && DBG_IGMP,
(DTEXT("Dropping IGMPv3 query for the All-Hosts
group/n")));
return;
}
Question 2: How can I tell whether my Windows Server 2003 machine is
vulnerable?
Answer: If the server joins to any multicast group other than 224.0.0.1,
then it is vulnerable to IGMP attack.
Using the following netsh command will show the multicast groups to which
the machine is joined.
netsh int ip show joins
For example, if the WINS component is enabled in Win2k3 server, the output
of the netsh command above would be:
Interface Addr Multicast Group
--------------- ---------------
10.1.1.1 224.0.0.1
10.1.1.1 224.0.1.24
224.0.1.24 is IP multicast group for WINS. The configuration above (if
unpatched) is vulnerable to the IGMP attack.
Question 3: Even if a server is not joined to a multicast group other than
224.0.0.1, could it still be affected if an attacker sent a *unicast* IGMP
packet?
Answer: No. Though the host would receive the unicast IGMP packet, valid
multicast address needs to be contained in IGMP query payload so the packet
would be ignored.
Published Thursday, January 10, 2008 5:00 PM by migrady
<http://blogs.technet.com/user/Profile.aspx?UserID=26018>
Filed under: IGMP
<http://blogs.technet.com/swi/archive/tags/IGMP/default.aspx> , attack
<http://blogs.technet.com/swi/archive/tags/attack+vector/default.aspx>
vector, UPnP <http://blogs.technet.com/swi/archive/tags/UPnP/default.aspx> ,
multicast
<http://blogs.technet.com/swi/archive/tags/multicast+group/default.aspx>
group, netsh <http://blogs.technet.com/swi/archive/tags/netsh/default.aspx>
- MS08-001
- ms08-066
- MS08-067
- MS08-001 - The case of the missing Windows Server 2003 attack vector
- MS08-067漏洞分析
- MS08-067(KB958644)
- MS08-067漏洞分析
- MS08-067.c
- MS08-067漏洞分析
- MS08-067漏洞重现
- MS08-067漏洞复现
- MS08-067溢出漏洞详解
- MS08-052 漏洞利用工具下载
- Microsoft Security Bulletin MS08-067 – Critical
- Trojan exploiting MS08-067 RPC vulnerability
- Ms08-067 Exp 详细测试流程
- A Quick Update About MS08-067 Exploit
- IE 0DAY ms08-78 漏洞
- 出色管理者的十大思想和行为特征
- 不会爱的人
- 谁是前世埋葬你的人?
- 自我提高的十大技巧
- 开通blog
- MS08-001
- 微软的面试题及答案( 超变态但是很经典)
- Exploiting PHP SELF
- Oracle 中的NLS
- 解密不同编码的的参数
- BitTorrent and UTorrent Peers Static Overflow
- MSN,QQ在线即时交谈网页代码
- 狡猾的移动
- 为GridView每个单元格鼠标移上去显示div