[unisog] windows networking and udp 1026
Bradley.Ellis at its.monash.edu.au
Thu Dec 4 00:54:58 GMT 2003
I think this service can also exist on ports lower than 1026 -
1025 in certainly a possibility (I'm sure some advertisers
looked for Messenger on port 1025 when they were sending
stuff to us.), 1024 may also be a possibility. At the other
end (1050 or above), I'm guessing the port number allocated
is the result of where messenger starts in relation to
other services using the network (or if its restarted).
The difficulty this presents is that blocking inbound
udp can be a pain unless your firewall supports some
"session control" for udp - eg. Clients can initiate
a stream and the server can respond for up to 20 seconds
after the last send by a client, on the up side of this,
relatively few applications seem to use udp ports 1024-1050.
As far as a worm being crafted using this vulnerability,
to me that is a real possibility. The difference between
"sql ping" and messenger is that messenger runs by default
on every NT, W2K and XP system - not just those with
MSDE or MS SQL. This give a worm writer a much bigger
number of potentnial targets than the SQL
Slammer/Sapphire worm had. From memory Sapphire
compromised about 90,000 hosts in about 10 minutes from
release, a worm based on this hole could be substantianlly
more than that.
Looking to the future, W2K3 Server has disabled the service
by default, hopefully this will be done in service packs for
current versions. Eg. Windows XP with SP2 when installed
doesn't enabled the Messenger service by default.
Senior IT Security Officer, Infrastructure Services
Information Technology Services, Monash University - Clayton
Phone: 9905 1383
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1872 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20031204/a33a7af1/smime-0003.bin
More information about the unisog