MS04-010, new vulnerability discovered in MSN Messenger 6.0 and 6.1.
QUOTE
A security vulnerability exists in Microsoft MSN Messenger. The vulnerability exists because of the method used by MSN Messenger to handle a file request. An attacker could exploit this vulnerability by sending a specially crafted request to a user running MSN Messenger. If exploited successfully, the attacker could view the contents of a file on the hard drive without the user's knowledge as long as the attacker knew the location of the file and the user had read access to the file.
To exploit this vulnerability, an attacker would have to know the sign-on name of the MSN Messenger user in order to send the request.
somedody got a good request file to exploit this thing??
NiteWorM
Mar 10 2004, 11:15 AM
sorry mate nah i dont, but sounds like this exploit could be used nastily and alot of people dont really know about it, and if they do they think they arent vuln
R0x0r
Mar 10 2004, 11:45 AM
Wow.. That would be nice know more about that.. Heard about it, but never really tried it on the previus versions.
niko
Mar 10 2004, 03:57 PM
NiteWorm, that kitten is so cute
Yours?
-niko
o0TiTAN0o
Mar 10 2004, 03:59 PM
Hmm sounds very n1
Sedolf
Mar 10 2004, 05:28 PM
only works if you kno the sign name so it isnt mass exploit compatible only for annoying friends in the cl
Frenkovic
Mar 11 2004, 02:05 AM
QUOTE (Sedolf @ Mar 10 2004, 05:28 PM)
only works if you kno the sign name so it isnt mass exploit compatible only for annoying friends in the cl
gonna screw over some friends
that's always nice
badpig
Mar 11 2004, 05:38 AM
Any one have it ? want exploit.
zero-maitimax
Mar 11 2004, 07:24 AM
i think it's the first time that a good exploit. no info is about it.... i mean like source..
ScriptGod
Mar 11 2004, 08:57 AM
QUOTE
If exploited successfully, the attacker could view the contents of a file on the hard drive without the user's knowledge as long as the attacker knew the location of the file and the user had read access to the file.
there is no possibillity of execute code or writting to a file... you can ONLY VIEW some files of the target system if you know the path and the name of the file. NOTHING more.
FakoLy
Mar 11 2004, 09:32 AM
QUOTE (ScriptGod @ Mar 11 2004, 08:57 AM)
QUOTE
If exploited successfully, the attacker could view the contents of a file on the hard drive without the user's knowledge as long as the attacker knew the location of the file and the user had read access to the file.
there is no possibillity of execute code or writting to a file... you can ONLY VIEW some files of the target system if you know the path and the name of the file. NOTHING more.
yeah you can only read files but theses files could be like.. cookies containing the MD5 Hash for some passwords, credit cart numbers, or other informations like this.
Schmiel
Mar 11 2004, 10:16 AM
Or a sam file
macman
Mar 11 2004, 10:36 AM
Not so much credit card info etc. as they aren't stored in a default location! Unless you know the full path, I don't think you'll get much SAM file on the other hand...
[edit] my bad, didn't see the word "cookies". Didn't think cookies stored cc-numbers in general though. Also, cookie names are generally quite unique, so the chances of getting someone's cc-number aren't that high by randomly guessing cookie names.
FakoLy
Mar 11 2004, 03:02 PM
maybe a little brute-force attack could handle this.. or some social engineering
pr0t0type
Mar 11 2004, 03:32 PM
Things like servu, vnc, mysql, etc all use ini files with static or easily guessable paths could be grabbed by this vuln though. and I don't think i need to explain what can happen once you get those files
D3ADLiN3
Mar 11 2004, 03:33 PM
having to know the file paths is a pain :/
Any other good files to grab?
thesensor
Mar 12 2004, 04:48 PM
Some1 got the sploit ??? Pleaseee
gigazer
Mar 13 2004, 03:21 PM
What would the exploit look like (roughly)? Considering it is because of a file request, so the basic details/commands are required for it to work. Anybody know what that might be?
crash3rzz
Mar 13 2004, 03:32 PM
i got it, it drops file to hd\msn installed dir then it tries to spawn a shell
actually i tried it locally works perfect and on my friend works xp\nt
but patch realsed
Paul
Mar 13 2004, 04:19 PM
QUOTE (crash3rzz @ Mar 13 2004, 03:32 PM)
i got it, it drops file to hd\msn installed dir then it tries to spawn a shell
actually i tried it locally works perfect and on my friend works xp\nt
but patch realsed
Would be cool if you share it, bet its private though.
tweakz20
Mar 13 2004, 04:45 PM
it would be nice if you could give us a link or something
security focus didn't have one, i didn't find one anywhere
FakoLy
Mar 13 2004, 05:39 PM
QUOTE (crash3rzz @ Mar 13 2004, 03:32 PM)
i got it, it drops file to hd\msn installed dir then it tries to spawn a shell
actually i tried it locally works perfect and on my friend works xp\nt
but patch realsed
u got it, then share it
gigazer
Mar 13 2004, 07:47 PM
Yeah, share it... i am curious as how Msn could allow such a thing?
technoboy
Mar 13 2004, 08:00 PM
this vuln dosent allow code execution ...
dont lie to us, you dont have shit
gigazer
Mar 13 2004, 08:44 PM
so has any1 actually got a clue how this exploits/vunarability works?
oblivion2004
Mar 14 2004, 07:55 PM
Yeah, 99% of the time xp and 2000 users are logged in as Administrator access, you could then use that to retrieve the SAM file and get use L0pht to crack the passwords, from there you could try a Remote desktop or telnet or something of the nature to put in a backdoor...
Very nice, If anyone has it can they please post it? Or perhaps email it to me? Link would even be better! ( kyle1058@mchsi.com )
-oblivion2004
axelfoley643
Mar 14 2004, 07:59 PM
wow very nice
gigazer
Mar 14 2004, 08:11 PM
so how is it done? just a different arrangement or some other modified method of a file request? pls post the code/exploit here if you dont mind
supermax
Mar 14 2004, 11:44 PM
social enginering on somethign bind with an oter attack oould alow u wat file and in wat location and ppl know the vuln is they may be an oter exploit will be out
zero-maitimax
Mar 15 2004, 10:16 AM
QUOTE (crash3rzz @ Mar 13 2004, 03:32 PM)
i got it, it drops file to hd\msn installed dir then it tries to spawn a shell
actually i tried it locally works perfect and on my friend works xp\nt
but patch realsed
well nice ... for you..
so..? what do we have with this info, nothing right?
maybe the next time you could put the source in here..so we can believe you that you have it..
gigazer
Mar 15 2004, 08:56 PM
^ yeah, i agree. it would be really nice if you actually got the code, to share it. but if you dont, and you are just messing about, well
technoboy
Mar 15 2004, 09:18 PM
QUOTE
social enginering on somethign bind with an oter attack oould alow u wat file and in wat location and ppl know the vuln is they may be an oter exploit will be out
what language is that ?
Niekos
Mar 15 2004, 09:33 PM
Still nobody with some source or something??
gigazer
Mar 16 2004, 05:36 PM
Yeah, does anyone actually have any source code or have any idea exactly how it works?
zero-maitimax
Mar 18 2004, 02:12 PM
found a little more info
There is a flaw in the way nsiislog.dll processes incoming client requests. A vulnerability exists because an attacker could send specially formed HTTP request (communications) to the server that could cause IIS to fail or execute code on the user's system.
private
Mar 18 2004, 04:59 PM
I'm searching the net for the exploit code a long time but i can't find it....
rarr
Mar 19 2004, 08:48 AM
It would appear the exploit was found by accident by someone trying to create a client for msn on mirc.
oh and the chat was carried out on irc.freenode.net channel #ai if anyones interested.
Anarchiste
Mar 19 2004, 03:44 PM
If only i could have the source code...
FakoLy
Mar 19 2004, 05:11 PM
hmm some interesting infos i'm gonna check the irc log tonight and try to tell you more about it. Regards
rarr
Mar 19 2004, 05:22 PM
unfortunatly the chat log doesnt give that much away, only the fact that it was found while trying to create a mirc to msn gateway. Maybe if someone could catch qFox online and have a quiet little chat....
oblivion2004
Mar 19 2004, 11:57 PM
QUOTE (rarr @ Mar 19 2004, 05:22 PM)
unfortunatly the chat log doesnt give that much away, only the fact that it was found while trying to create a mirc to msn gateway. Maybe if someone could catch qFox online and have a quiet little chat....
heck, its irc.. why just chat with him? lets test the security of his system, see if the exploit is there, (and legally, give him a full report of his vulnerabilities)... Lol jk
