[unisog] windows networking and udp 1026

Bradley Ellis Bradley.Ellis at its.monash.edu.au
Thu Dec 4 00:54:58 GMT 2003


Hi All,

I think this service can also exist on ports lower than 1026 -
1025 in certainly a possibility (I'm sure some advertisers 
looked for Messenger on port 1025 when they were sending 
stuff to us.), 1024 may also be a possibility. At the other 
end (1050 or above), I'm guessing the port number allocated
is the result of where messenger starts in relation to
other services using the network (or if its restarted).
The difficulty this presents is that blocking inbound
udp can be a pain unless your firewall supports some
"session control" for udp - eg. Clients can initiate
a stream and the server can respond for up to 20 seconds
after the last send by a client, on the up side of this,
relatively few applications seem to use udp ports 1024-1050.

As far as a worm being crafted using this vulnerability,
to me that is a real possibility. The difference between
"sql ping" and messenger is that messenger runs by default 
on every NT, W2K and XP system - not just those with
MSDE or MS SQL. This give a worm writer a much bigger 
number of potentnial targets than the SQL 
Slammer/Sapphire worm had. From memory Sapphire
compromised about 90,000 hosts in about 10 minutes from 
release, a worm based on this hole could be substantianlly 
more than that.

Looking to the future, W2K3 Server has disabled the service 
by default, hopefully this will be done in service packs for 
current versions. Eg. Windows XP with SP2 when installed 
doesn't enabled the Messenger service by default.

Regards,
Brad.
--
Bradley Ellis
Senior IT Security Officer, Infrastructure Services
Information Technology Services, Monash University - Clayton
Phone:  9905 1383
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 1872 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20031204/a33a7af1/smime-0003.bin


More information about the unisog mailing list