lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20030812220259.GA5653@squirrelsoup.net>
From: f0x at squirrelsoup.net (Gabe Arnold)
Subject: (forw) [f0x@...irrelsoup.net: Re: Blaster: will it spread without tftp?]

Subject: Re: [Full-Disclosure] Blaster: will it spread without tftp?

This is a good point.  One thing that would help as well is if firewall admins just blocked all tftp 
connections, since it is rarely used. Since TFTP is the backbone of how this worm spreads, it would get rid 
of any spread in the laptop or desktop situations.  And in the case of DMZed servers, they should be blocked 
off of the main LAN if you're any good.  This is a good point and a practical solution to large LANs that 
could have potential laptops caming from outside.
My $.02, what does the list think?
--Gabe
 
* Maarten (subscriptions@...tsuijker.com) wrote:
> I was wondering about the following scenario:
> 
> Lots of corporate network are protected by firewalls and users are forced to
> use a proxy server to connect to the internet. Because of the firewalling,
> the worm will not be able to infect the clients directly from the Internet.
> Of course there are always servers that are building bridges between the
> corporate network and the internet or laptop users that get infected by
> using their dial-up/DSL @ home.
> 
> But if the worm enters the network through for instance an infected laptop,
> can it still spread around on the network? By analyzing the threads on this
> list and reading the info provided by anti-virus vendors I tend to draw the
> following conclusion.
> 
> - A worm can enter the network through an infected laptop/workstation or a
> vulnerable server connected to the internet.
> - these infected machines can exploit the vulnerability on other vulnerable
> systems on the Internal network causing them to reboot (and reboot, and
> reboot)
> - since these other vulnerable systems are using a proxy server to connect
> to the internet and a firewall prevents all other connections, tftp servers
> on the Internet can not be accessed
> - since tftp servers can not be accessed, msblaster.exe can not be
> downloaded
> - since msblaster.exe can not be downloaded these other systems will not
> start to infect other systems...
> 
> Am I correct on these last two points? Or is this only true in case someone
> puts an infected laptop on the network (that is not able to connect to the
> internet using tftp, while a webserver might be when it is located in a
> misconfigured DMZ environment)? Of course this is only one worm variant
> exploiting this vulnerability and we might have a totally different case on
> the next one, but I am still curious if I am on the right track
> understanding the impact of the worm.
> 
> I also read something about SP0|1|2 on W2K not being vulnerable to msblaster
> (probably because of the "universal" offsets used). Is there anyone that can
> confirm this finding?
> 
> maarten
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 

----- End forwarded message -----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ