Home page logo

basics logo Security Basics mailing list archives

Re: Windows Messenger Pop-up spam
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Tue, 7 Dec 2004 22:02:06 +0100

On 2004-12-06 Steven Trewick wrote:
On 2004-12-03 H Carvey wrote:
Which will merely have lulled them into a false sense of security,
since the traffic is still making it to their IP stack. For windows
boxen, this is almost as good as "game over"

You may want to give at least one reason for this opinion.

I, too, would like to see something to support this statement.  

"Game over", how?  Sure, the traffic still makes it to the IP stack,
I agree...but how does this result in "game over" with respect to
Messenger spam?  Turn the Messenger service off and there's nothing
there to handle the input...end of story. *That's* "game over".  

Harlan, as you well know, there are *many* other things listening
to/on the subset of ports used by messenger spam, turning off the
messenger service in no way blinds/deafens the *rest* of the RPC
subsystem, where $DEITY knows how many vulns have been (and remain to
be) discovered.

True. However, that has nothing to do with either messenger spam or
"packets making it to the IP stack" but with other services still
listening on that specific port. Remove each service you don't need and
you won't have a problem with "packets making it to the IP stack".

Simply turning off the service in no way increases the security of the
machine, because those ports and the multiplicity of services that use
them will still be exposed, quite obviously.

I have to disagree partially. Disabling a single services does not
increase security, but disabling *all* unneeded services sure does.

Anyone sufficently addled as to run a machine exposed in this way is
also extremely unlikely to be patched up the eyeballs, thus we have
exposed *and* vulnerable services.  Thus it will be game over when the
first worm reaches the machine.

Of course. But that's PEBKAC, not a problem with the IP stack.

As a rough guide, the last time I saw someone connect a box so
configured to the internet, it took less than five minutes to succumb
to some variety of lsass exploit, which will have arrived via those
exact same ports (135/9, 445, et al)

True. Thats why www.ntsvcfg.de exists.

Ansgar Wiechers
"Those who would give up liberty for a little temporary safety
deserve neither liberty nor safety, and will lose both."
--Benjamin Franklin

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]