Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Re: /instmsg/alias/annoying_web_logs ;)

Re: /instmsg/alias/annoying_web_logs ;)

From: zeno <bugtraq_at_cgisecurity.net>
Date: Tue, 15 Oct 2002 10:10:46 -0400 (EDT)

>
>
> --=-JDGRKxNXGaJQ/wbvHyBY
> Content-Type: text/plain
> Content-Transfer-Encoding: quoted-printable
>
> Exchange and MSN Messanger are the top leads so far. :> Someone install
> MSN Messanger and find out! (Doesn't ANYONE run that thing?) :>
>
> -dave
>

Here is a good question. we know it is sending GET requests to a webserver. I assume IIS must have
something setup to get queries and forward to the messaging client? What if IIS isn't installed does
something else answer it, if so what?

- zeno_at_cgisecurity.com

>
> On Tue, 2002-10-15 at 10:05, zeno wrote:
> > >=20
> > > I get billions of these things too, its part of some MSN groups/chat=20
> > > thing, essentially it takes requests the "alias" of the email address=20
> > > (dave_at_immunitysec.com =3D> /instmsg/alias/dave). Might be fun to send b=
> ack=20
> >=20
> > These things are damn annoying. I get probably 5 of these a day and 1 per=
> son keeps checking me every
> > few hours.=20
> >=20
> >=20
> > > some looooong responses ;) My favorites are all the ones that originate=
> =20
> > > from microsoft "tide" addresses... They send me some funny referrers fr=
> om=20
> > > their intranet servers once in a while too.
> > >=20
> >=20
> > Ha.=20
> >=20
> >=20
> > > ---
> > > "Immunity also gets a lot of requests for /instmsg/alias/dave, which=20
> > > doesn't exist. I'm curious what web client plugin causes this behavior.=
> =20
> > > And, I've noticed FrontPage makes PROPFIND, /_vti_bin/shtml.dll, and=20
> > > other FrontPage-style requests. Somewhere here I smell an exploitable=20
> > > client-side vulnerability."
> > > ---
> > >
> >=20
> >=20
> > I'm curious do we know this is MSN messanger? Anybody else know if AIM or=
> another client sends
> > these requests?
> >=20
> > - zeno
> >=20
> > =20
> --=20
> Dave Aitel <dave_at_immunitysec.com>
> Immunity, Inc
>
> --=-JDGRKxNXGaJQ/wbvHyBY
> Content-Type: application/pgp-signature; name=signature.asc
> Content-Description: This is a digitally signed message part
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
>
> iD8DBQA9rCF7B8JNm+PA+iURAvV/AKDxWhCZrGtmz9y3eyCSgab3DuO2uQCgq405
> U+FUmm26fv9Lk/nBbOYwcZE=
> =AFPz
> -----END PGP SIGNATURE-----
>
> --=-JDGRKxNXGaJQ/wbvHyBY--
>
>
Received on Oct 15 2002

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos