CVE(CAN) ID: CVE-2008-5828
MSN messenger是Windows操作系统默认捆绑的即时消息聊天客户端。
如果在NAT会话上使用了MSN协议版本15(MSNP15),Windows Live Messenger客户端允许远程攻击者通过读取Ipv4ExternalAddrsAndPorts、Ipv4InternalAddrsAndPorts头字段找到内部IP地址和端口号。
在聊天会话期间MSN除了传送会话id、Cal等信息外,还会传送Ipv4ExternalAddrsAndPorts、Ipv4InternalAddrsAndPorts,分别代表公开的IP地址和会话者的私有IP地址及端口逻辑。以下是会话的全过程:
MSNMSGR:[email protected] MSNSLP/1.0
To: <msnmsgr:[email protected]>
From: <msnmsgr:[email protected]>
Via: MSNSLP/1.0/TLP ;branch={D4CE435D-8C31-4D80-80EC-576A8294B3B3}
CSeq: 0
Call-ID: {00000000-0000-0000-0000-000000000000}
Max-Forwards: 0
Content-Type: application/x-msnmsgr-transudpswitch
Content-Length: 157
IPv4ExternalAddrsAndPorts: 79.2.165.233:3939
IPv4InternalAddrsAndPorts: 192.168.0.2:3939
SessionID: 729003413
SChannelState: 0
Capabilities-Flags: 1
######A#########g#######g#######¶8»#############INVITE
MSNMSGR:[email protected] MSNSLP/1.0
To: <msnmsgr:[email protected]>
From: <msnmsgr:[email protected]>
Via: MSNSLP/1.0/TLP ;branch={31DB585D-3119-40AF-B02B-3D9BAEF32CD0}
CSeq: 0
Call-ID: {9A68685A-1FCF-86A1-B639-BA769BA9B514}
Max-Forwards: 0
Content-Type: application/x-msnmsgr-transreqbody
Content-Length: 270
Bridges: TRUDPv1 TCPv1 SBBridge TURNv1
NetID: -375061937
Conn-Type: Port-Restrict-NAT
TCP-Conn-Type: Port-Restrict-NAT
UPnPNat: true
ICF: false
Hashed-Nonce: {D8F5EEB9-2568-FAE8-9460-3FF8DB908381}
SessionID: 275007100
SChannelState: 0
Capabilities-Flags: 1
#####MSG 49 D 155
MIME-Version: 1.0
Content-Type: application/x-msnmsgrp2p
P2P-Dest: [email protected]
####_áEu########g#################A#¶8»#g###########ACK 49
MSG 50 D 555
MIME-Version: 1.0
Content-Type: application/x-msnmsgrp2p
P2P-Dest: [email protected]
####^áEu######################ÔùH(############MSNSLP/1.0 200 OK
To: <msnmsgr:[email protected]>
From: <msnmsgr:[email protected]>
Via: MSNSLP/1.0/TLP ;branch={31DB585D-3119-40AF-B02B-3D9BAEF32CD0}
CSeq: 1
Call-ID: {9A68685A-1FCF-86A1-B639-BA769BA9B514}
Max-Forwards: 0
Content-Type: application/x-msnmsgr-transrespbody
Content-Length: 83
Bridge: TCPv1
Listening: false
Nonce: {00000000-0000-0000-0000-000000000000}
#####ACK 50
MSG [email protected] [c=28][i]BBBB[/i][/c] 143
MIME-Version: 1.0
Content-Type: application/x-msnmsgrp2p
P2P-Dest: [email protected]
######A#########################^áEuÔùH(###########MSG [email protected]
[c=28][i]BBB[/i][/c] 815
MIME-Version: 1.0
Content-Type: application/x-msnmsgrp2p
P2P-Dest: [email protected]
######A######### ####### #######àe»#############INVITE
MSNMSGR:[email protected] MSNSLP/1.0
To: <msnmsgr:[email protected]>
From: <msnmsgr:[email protected]>
Via: MSNSLP/1.0/TLP ;branch={5BDF5F91-90FF-4C0F-ACA6-F65A9E30986C}
CSeq: 0
Call-ID: {9A68685A-1FCF-86A1-B639-BA769BA9B514}
Max-Forwards: 0
Content-Type: application/x-msnmsgr-transrespbody
Content-Length: 326
Bridge: TCPv1
Listening: true
Conn-Type: Port-Restrict-NAT
TCP-Conn-Type: Port-Restrict-NAT
Nonce: {2DA8E1E7-CD08-4200-8E62-C2263EAC2D36}
IPv4External-Addrs: 79.2.165.233
IPv4External-Port: 3973
IPv4Internal-Addrs: 192.168.0.2
IPv4Internal-Port: 3973
SessionID: 275007100
SChannelState: 0
Capabilities-Flags: 1
这样攻击者就可以自由的访问路由器或网络情况。
Microsoft Windows Live Messenger 8.5.1
厂商补丁:
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
<a href=“http://www.microsoft.com/technet/security/” target=“_blank”>http://www.microsoft.com/technet/security/</a>