lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Pine.LNX.4.44.0308121741050.18217-100000@leibnitz.pick.clausing.us>
From: clausing at ieee.org (Jim Clausing)
Subject: Blaster: will it spread without tftp?

	This is incorrect.  It will tftp back to the machine that infected
it.  I've spent the past 12 hours cleaning up a network where tftp to the
internet was blocked.

---Jim

On or about Tue, 12 Aug 2003, Maarten pontificated thusly:

> I was wondering about the following scenario:
>
> Lots of corporate network are protected by firewalls and users are forced to
> use a proxy server to connect to the internet. Because of the firewalling,
> the worm will not be able to infect the clients directly from the Internet.
> Of course there are always servers that are building bridges between the
> corporate network and the internet or laptop users that get infected by
> using their dial-up/DSL @ home.
>
> But if the worm enters the network through for instance an infected laptop,
> can it still spread around on the network? By analyzing the threads on this
> list and reading the info provided by anti-virus vendors I tend to draw the
> following conclusion.
>
> - A worm can enter the network through an infected laptop/workstation or a
> vulnerable server connected to the internet.
> - these infected machines can exploit the vulnerability on other vulnerable
> systems on the Internal network causing them to reboot (and reboot, and
> reboot)
> - since these other vulnerable systems are using a proxy server to connect
> to the internet and a firewall prevents all other connections, tftp servers
> on the Internet can not be accessed
> - since tftp servers can not be accessed, msblaster.exe can not be
> downloaded
> - since msblaster.exe can not be downloaded these other systems will not
> start to infect other systems...
>
> Am I correct on these last two points? Or is this only true in case someone
> puts an infected laptop on the network (that is not able to connect to the
> internet using tftp, while a webserver might be when it is located in a
> misconfigured DMZ environment)? Of course this is only one worm variant
> exploiting this vulnerability and we might have a totally different case on
> the next one, but I am still curious if I am on the right track
> understanding the impact of the worm.
>
> I also read something about SP0|1|2 on W2K not being vulnerable to msblaster
> (probably because of the "universal" offsets used). Is there anyone that can
> confirm this finding?
>
> maarten
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ