Full Disclosure mailing list archives
Re: Blaster: will it spread without tftp?
From: Craig Pratt <craig () strong-box net>
Date: Tue, 12 Aug 2003 14:26:04 -0700
On Tuesday, Aug 12, 2003, at 13:19 US/Pacific, Maarten wrote:
I was wondering about the following scenario:Lots of corporate network are protected by firewalls and users are forced to use a proxy server to connect to the internet. Because of the firewalling, the worm will not be able to infect the clients directly from the Internet. Of course there are always servers that are building bridges between thecorporate network and the internet or laptop users that get infected by using their dial-up/DSL @ home.But if the worm enters the network through for instance an infected laptop, can it still spread around on the network? By analyzing the threads on this list and reading the info provided by anti-virus vendors I tend to draw thefollowing conclusion.- A worm can enter the network through an infected laptop/workstation or avulnerable server connected to the internet.
yeah
- these infected machines can exploit the vulnerability on other vulnerablesystems on the Internal network causing them to reboot (and reboot, and reboot)
yeah
- since these other vulnerable systems are using a proxy server to connect to the internet and a firewall prevents all other connections, tftp serverson the Internet can not be accessed
yeah - but msblast uses the infected host as a tftp server. There are no centralized servers involved.
- since tftp servers can not be accessed, msblaster.exe can not be downloaded
nope. It can be downloaded from the infected host(s). It'll spread inside the Intranet just fine.
- since msblaster.exe can not be downloaded these other systems will notstart to infect other systems...
nope. The infected systems will seek out new targets.
Am I correct on these last two points? Or is this only true in case someone puts an infected laptop on the network (that is not able to connect to theinternet using tftp, while a webserver might be when it is located in a misconfigured DMZ environment)? Of course this is only one worm variantexploiting this vulnerability and we might have a totally different case onthe next one, but I am still curious if I am on the right track understanding the impact of the worm.
Buckle your seatbelt, it's going to be a bumpy night - at least for you. ;^)
And be glad msblast doesn't do more damage. It could have been sooo much worse. But I'm sure the bad ones are waiting in the wings.
I also read something about SP0|1|2 on W2K not being vulnerable to msblaster (probably because of the "universal" offsets used). Is there anyone that canconfirm this finding?
Can't comment on that.
maarten
Craig --- Craig Pratt Strongbox Network Services Inc. mailto:craig () strong-box net dtmf:503.706.2933 -- This message checked for dangerous content by MailScanner on StrongBox. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd), (continued)
- RE: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd) Gordon Ewasiuk (Aug 12)
- Re: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd) Jeremiah Cornelius (Aug 13)
- RE: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd) Nick FitzGerald (Aug 13)
- RE: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd) Joey (Aug 13)
- RE: ISS Security Brief: 'MS Blast' MSRPC DCOM Worm Propagation (fwd) Daniele Muscetta (Aug 14)
- RE: ISS Security Brief: 'MS Blast' MSRPC DCOM Worm Propagation (fwd) Joey (Aug 14)
- RE: ISS Security Brief: 'MS Blast' MSRPC DCOM Worm Propagation (fwd) Daniele Muscetta (Aug 14)
- Re: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd) morning_wood (Aug 12)
- Blaster: will it spread without tftp? Maarten (Aug 12)
- Re: Blaster: will it spread without tftp? Craig Pratt (Aug 12)
- Re: Blaster: will it spread without tftp? Maarten Hartsuijker (Aug 12)
- Re: Blaster: will it spread without tftp? Jim Clausing (Aug 12)
- Re: Blaster: will it spread without tftp? Matthew Murphy (Aug 12)
- RE: Blaster: will it spread without tftp? Derek Soeder (Aug 12)
- Re: Blaster: will it spread without tftp? Nick FitzGerald (Aug 12)
- Re: Blaster: will it spread without tftp? Russell Fulton (Aug 12)
- Re: Blaster: will it spread without tftp? Gregory Steuck (Aug 13)
- Re: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd) Gregory Steuck (Aug 13)