| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <9464AE54-CD0B-11D7-88AB-000393B972BA@strong-box.net> From: craig at strong-box.net (Craig Pratt) Subject: Blaster: will it spread without tftp? On Tuesday, Aug 12, 2003, at 13:19 US/Pacific, Maarten wrote: > I was wondering about the following scenario: > > Lots of corporate network are protected by firewalls and users are > forced to > use a proxy server to connect to the internet. Because of the > firewalling, > the worm will not be able to infect the clients directly from the > Internet. > Of course there are always servers that are building bridges between > the > corporate network and the internet or laptop users that get infected by > using their dial-up/DSL @ home. > > But if the worm enters the network through for instance an infected > laptop, > can it still spread around on the network? By analyzing the threads on > this > list and reading the info provided by anti-virus vendors I tend to > draw the > following conclusion. > > - A worm can enter the network through an infected laptop/workstation > or a > vulnerable server connected to the internet. yeah > - these infected machines can exploit the vulnerability on other > vulnerable > systems on the Internal network causing them to reboot (and reboot, and > reboot) yeah > - since these other vulnerable systems are using a proxy server to > connect > to the internet and a firewall prevents all other connections, tftp > servers > on the Internet can not be accessed yeah - but msblast uses the infected host as a tftp server. There are no centralized servers involved. > - since tftp servers can not be accessed, msblaster.exe can not be > downloaded nope. It can be downloaded from the infected host(s). It'll spread inside the Intranet just fine. > - since msblaster.exe can not be downloaded these other systems will > not > start to infect other systems... nope. The infected systems will seek out new targets. > Am I correct on these last two points? Or is this only true in case > someone > puts an infected laptop on the network (that is not able to connect to > the > internet using tftp, while a webserver might be when it is located in a > misconfigured DMZ environment)? Of course this is only one worm variant > exploiting this vulnerability and we might have a totally different > case on > the next one, but I am still curious if I am on the right track > understanding the impact of the worm. Buckle your seatbelt, it's going to be a bumpy night - at least for you. ;^) And be glad msblast doesn't do more damage. It could have been sooo much worse. But I'm sure the bad ones are waiting in the wings. > I also read something about SP0|1|2 on W2K not being vulnerable to > msblaster > (probably because of the "universal" offsets used). Is there anyone > that can > confirm this finding? Can't comment on that. > > maarten Craig --- Craig Pratt Strongbox Network Services Inc. mailto:craig@...ong-box.net dtmf:503.706.2933 -- This message checked for dangerous content by MailScanner on StrongBox.
Powered by blists - more mailing lists