[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Blaster: will it spread without tftp?
- To: "Full Disclosure" <full-disclosure@lists.netsys.com>
- Subject: Re: [Full-Disclosure] Blaster: will it spread without tftp?
- From: "Matthew Murphy" <mattmurphy@kc.rr.com>
- Date: Tue, 12 Aug 2003 16:48:27 -0500
"Maarten" <subscriptions@hartsuijker.com> writes:
> I was wondering about the following scenario:
>
> Lots of corporate network are protected by firewalls and users are forced
to
> use a proxy server to connect to the internet. Because of the firewalling,
> the worm will not be able to infect the clients directly from the
Internet.
> Of course there are always servers that are building bridges between the
> corporate network and the internet or laptop users that get infected by
> using their dial-up/DSL @ home.
>
> But if the worm enters the network through for instance an infected
laptop,
> can it still spread around on the network? By analyzing the threads on
this
> list and reading the info provided by anti-virus vendors I tend to draw
the
> following conclusion.
>
> - A worm can enter the network through an infected laptop/workstation or a
> vulnerable server connected to the internet.
> - these infected machines can exploit the vulnerability on other
vulnerable
> systems on the Internal network causing them to reboot (and reboot, and
> reboot)
> - since these other vulnerable systems are using a proxy server to connect
> to the internet and a firewall prevents all other connections, tftp
servers
> on the Internet can not be accessed
> - since tftp servers can not be accessed, msblaster.exe can not be
> downloaded
> - since msblaster.exe can not be downloaded these other systems will not
> start to infect other systems...
>
> Am I correct on these last two points? Or is this only true in case
someone
> puts an infected laptop on the network (that is not able to connect to the
> internet using tftp, while a webserver might be when it is located in a
> misconfigured DMZ environment)?
Incorrect, for most setups. Some firewalls at the router (NAT, for
instance) block packets into/out of the LAN. This means that machines from
the internet cannot communicate with the LAN, and visa versa. However,
machines on the LAN can communicate with *each other* (thus the ability to
connect to the proxy server). So, if an infected system is introduced, it
*can* spread to the LAN, but infections of systems on the internet will
fail, as they cannot TFTP back to the firewalled box.
>Of course this is only one worm variant
> exploiting this vulnerability and we might have a totally different case
on
> the next one, but I am still curious if I am on the right track
> understanding the impact of the worm.
Yes, indeed. Had the worm author been more skilled, we probably would have
seen a Code Red style worm, with the entire worm transmitted as shellcode in
the initial packet exchange over 135/tcp. This would eliminate the efficacy
of blocking TFTP (69/udp) or 4444/tcp.
> I also read something about SP0|1|2 on W2K not being vulnerable to
msblaster
> (probably because of the "universal" offsets used). Is there anyone that
can
> confirm this finding?
I can refute this finding. Windows 2000 (all service packs) is being
actively exploited by this worm. Compromised Windows 2000 boxes have been
probing fairly consistently. eEye's official write-up specifically mentions
W2K Gold-SP2 as vulnerable. By "Universal" offset, they weren't kidding --
one offset works on Windows 2000 Gold-SP4, all languages, and one offset
works on Windows XP Gold/SP1 32-bit, all languages.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html