Full Disclosure mailing list archives
Re: Blaster: will it spread without tftp?
From: "Matthew Murphy" <mattmurphy () kc rr com>
Date: Tue, 12 Aug 2003 16:48:27 -0500
"Maarten" <subscriptions () hartsuijker com> writes:
I was wondering about the following scenario: Lots of corporate network are protected by firewalls and users are forced
to
use a proxy server to connect to the internet. Because of the firewalling, the worm will not be able to infect the clients directly from the
Internet.
Of course there are always servers that are building bridges between the corporate network and the internet or laptop users that get infected by using their dial-up/DSL @ home. But if the worm enters the network through for instance an infected
laptop,
can it still spread around on the network? By analyzing the threads on
this
list and reading the info provided by anti-virus vendors I tend to draw
the
following conclusion. - A worm can enter the network through an infected laptop/workstation or a vulnerable server connected to the internet. - these infected machines can exploit the vulnerability on other
vulnerable
systems on the Internal network causing them to reboot (and reboot, and reboot) - since these other vulnerable systems are using a proxy server to connect to the internet and a firewall prevents all other connections, tftp
servers
on the Internet can not be accessed - since tftp servers can not be accessed, msblaster.exe can not be downloaded - since msblaster.exe can not be downloaded these other systems will not start to infect other systems... Am I correct on these last two points? Or is this only true in case
someone
puts an infected laptop on the network (that is not able to connect to the internet using tftp, while a webserver might be when it is located in a misconfigured DMZ environment)?
Incorrect, for most setups. Some firewalls at the router (NAT, for instance) block packets into/out of the LAN. This means that machines from the internet cannot communicate with the LAN, and visa versa. However, machines on the LAN can communicate with *each other* (thus the ability to connect to the proxy server). So, if an infected system is introduced, it *can* spread to the LAN, but infections of systems on the internet will fail, as they cannot TFTP back to the firewalled box.
Of course this is only one worm variant exploiting this vulnerability and we might have a totally different case
on
the next one, but I am still curious if I am on the right track understanding the impact of the worm.
Yes, indeed. Had the worm author been more skilled, we probably would have seen a Code Red style worm, with the entire worm transmitted as shellcode in the initial packet exchange over 135/tcp. This would eliminate the efficacy of blocking TFTP (69/udp) or 4444/tcp.
I also read something about SP0|1|2 on W2K not being vulnerable to
msblaster
(probably because of the "universal" offsets used). Is there anyone that
can
confirm this finding?
I can refute this finding. Windows 2000 (all service packs) is being actively exploited by this worm. Compromised Windows 2000 boxes have been probing fairly consistently. eEye's official write-up specifically mentions W2K Gold-SP2 as vulnerable. By "Universal" offset, they weren't kidding -- one offset works on Windows 2000 Gold-SP4, all languages, and one offset works on Windows XP Gold/SP1 32-bit, all languages. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd), (continued)
- RE: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd) Joey (Aug 13)
- RE: ISS Security Brief: 'MS Blast' MSRPC DCOM Worm Propagation (fwd) Daniele Muscetta (Aug 14)
- RE: ISS Security Brief: 'MS Blast' MSRPC DCOM Worm Propagation (fwd) Joey (Aug 14)
- RE: ISS Security Brief: 'MS Blast' MSRPC DCOM Worm Propagation (fwd) Daniele Muscetta (Aug 14)
- Re: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd) morning_wood (Aug 12)
- Blaster: will it spread without tftp? Maarten (Aug 12)
- Re: Blaster: will it spread without tftp? Craig Pratt (Aug 12)
- Re: Blaster: will it spread without tftp? Maarten Hartsuijker (Aug 12)
- Re: Blaster: will it spread without tftp? Jim Clausing (Aug 12)
- Re: Blaster: will it spread without tftp? Matthew Murphy (Aug 12)
- RE: Blaster: will it spread without tftp? Derek Soeder (Aug 12)
- Re: Blaster: will it spread without tftp? Nick FitzGerald (Aug 12)
- Re: Blaster: will it spread without tftp? Russell Fulton (Aug 12)
- Re: Blaster: will it spread without tftp? Gregory Steuck (Aug 13)
- Re: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd) Gregory Steuck (Aug 13)