lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: nick at virus-l.demon.co.uk (Nick FitzGerald) Subject: Blaster: will it spread without tftp? "Maarten" <subscriptions@...tsuijker.com> wrote: > I was wondering about the following scenario: <<snip>> > - since these other vulnerable systems are using a proxy server to connect > to the internet and a firewall prevents all other connections, tftp servers > on the Internet can not be accessed Good up to here, but then... > - since tftp servers can not be accessed, msblaster.exe can not be > downloaded No. When the worm connects from its current victim to a new, vulnerable host it tells the new victim to TFTP the worm's .EXE from the current victim machine where the worm briefly sets up a TFTP thread to serve its .EXE. > - since msblaster.exe can not be downloaded these other systems will not > start to infect other systems... Nope, because of the above. > Am I correct on these last two points? Or is this only true in case someone > puts an infected laptop on the network (that is not able to connect to the > internet using tftp, while a webserver might be when it is located in a > misconfigured DMZ environment)? Of course this is only one worm variant > exploiting this vulnerability and we might have a totally different case on > the next one, but I am still curious if I am on the right track > understanding the impact of the worm. You seem to have missed the important point that the worm acts as its own TFTP server for infecting the next host. > I also read something about SP0|1|2 on W2K not being vulnerable to msblaster > (probably because of the "universal" offsets used). Is there anyone that can > confirm this finding? I believe this is now well confirmed to be incorrect. ... A further observation I've not seen elsewhere is just begging to be made, and as it indirectly relates to TFTP, why not here... "Least privilege" and "minimized services" are standard security mantra, right? If so, WTF do so many Windows boxes even have TFTP client executables installed? What proportion of "normal users" has _any_ real need for TFTP these days? In fact, who in their right mind would use it at all?? Ditto RCP and RSH amongst much other archaic and/or arcane crap that MS seems to feel "needs" to be on every box under the sun. Sure, removing these tools does not completely fix your boxes, but by setting the bar higher you should be increasing the average complexity needed for any possible attack scenario to be successfully exploited _on your boxes_. In turn, that reduces the likely success of something like this that seems to have been thrown together in ten minutes by some ankle-biting skiddie... Regards, Nick FitzGerald
Powered by blists - more mailing lists