MS08-001 - The case of the missing Windows Server 2003 attack vector

Part 3 of our MS08-001 blog post series
<http://blogs.technet.com/swi/archive/2008/01/08/ms08-001-part-3-the-c...
-the-igmp-network-critical.aspx>  mentioned that Windows Server 2003 does
not expose an attack vector to the vulnerable IGMP code execution
vulnerability by default.  Windows XP and Vista enable UPnP (Universal
Plug-and-Play) which exposes an attack vector to the vulnerable code but
Windows Server 2003 does not enable UPnP.  As a result, the WS03 machine
will ignore IGMP messages received from the network.

We have received a few questions about Windows Server 2003's exposure to the
IGMP vulnerability.

Question 1: By default, Win2k3 server joins to multicast group 224.0.0.1
<http://224.0.0.1/> . Does it mean that Win2K3 is vulnerable by default? And
the rating in MSRC bulletin is wrong?

Answer:  The bulletin rating is correct. Win2k3 server is not vulnerable to
IGMP issue when it only joins to 224.0.0.1 <http://224.0.0.1/> .

Observe the netsh command output on a default configuration of Win2K3
server:

 

>netsh int ip show joins

Interface Addr   Multicast Group

---------------  ---------------

10.1.1.1         224.0.0.1 <http://224.0.0.1/>

224.0.0.1 <http://224.0.0.1/>  is all hosts on the subnet. The reason that
win2k3 server is not vulnerable despite being joined to  224.0.0.1
<http://224.0.0.1/>  is because Windows ignores IGMP queries to that
address.  Here's the actual code:

    } else {
      // If all-hosts address, ignore it
      if (IP_ADDR_EQUAL(IQH->igh_addr, ALL_HOST_MCAST)) {
          DEBUGMSG(DBG_WARN && DBG_IGMP,
                    (DTEXT("Dropping IGMPv3 query for the All-Hosts
group/n")));
          return;
      }

Question 2: How can I tell whether my Windows Server 2003 machine is
vulnerable?

Answer: If the server joins to any multicast group other than 224.0.0.1
<http://224.0.0.1/> , then it is vulnerable to IGMP attack.

Using the following netsh command will show the multicast groups to which
the machine is joined.

netsh int ip show joins

For example, if the WINS component is enabled in Win2k3 server, the output
of the netsh command above would be:

Interface Addr   Multicast Group

---------------  ---------------

10.1.1.1         224.0.0.1 <http://224.0.0.1/>  
10.1.1.1 <http://10.1.1.1/>          224.0.1.24 <http://224.0.1.24/>

224.0.1.24 <http://224.0.1.24/>  is IP multicast group for WINS. The
configuration above (if unpatched) is vulnerable to the IGMP attack.

Question 3: Even if a server is not joined to a multicast group other than
224.0.0.1 <http://224.0.0.1/> , could it still be affected if an attacker
sent a *unicast* IGMP packet?

Answer: No. Though the host would receive the unicast IGMP packet, valid
multicast address needs to be contained in IGMP query payload so the packet
would be ignored.

Published Thursday, January 10, 2008 5:00 PM by migrady
<http://blogs.technet.com/user/Profile.aspx?UserID=26018>  

Filed under: IGMP
<http://blogs.technet.com/swi/archive/tags/IGMP/default.aspx> , attack
vector
<http://blogs.technet.com/swi/archive/tags/attack+vector/default.aspx> ,
UPnP <http://blogs.technet.com/swi/archive/tags/UPnP/default.aspx> ,
multicast group
<http://blogs.technet.com/swi/archive/tags/multicast+group/default.aspx> ,
netsh <http://blogs.technet.com/swi/archive/tags/netsh/default.aspx>

[Ph4nt0m]  <http://www.ph4nt0m.org/>

[Ph4nt0m Security Team]

                    <http://blog.ph4nt0m.org/> 刺@ph4nt0m

          Email:  a...@ph4nt0m.org

          PingMe:
<http://cn.pingme.messenger.yahoo.com/webchat/ajax_webchat.php?yid=han...
hq&sig=9ae1bbb1ae99009d8859e88e899ab2d1c2a17724>

          === V3ry G00d, V3ry Str0ng ===

          === Ultim4te H4cking ===

          === XPLOITZ ! ===

          === #_# ===

#If you brave,there is nothing you cannot achieve.#