[NT] Vulnerability in MSN Messenger Allows Information Disclosure (MS04-010)

• Previous message: SecuriTeam: "[TOOL] EFC - Execution Flow Control"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 10 Mar 2004 10:52:23 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Vulnerability in MSN Messenger Allows Information Disclosure (MS04-010)
------------------------------------------------------------------------

SUMMARY

A security vulnerability exists in Microsoft MSN Messenger. The
vulnerability exists because of the method used by MSN Messenger to handle
a file request. An attacker could exploit this vulnerability by sending a
specially crafted request to a user running MSN Messenger. If exploited
successfully, the attacker could view the contents of a file on the hard
drive without the user's knowledge as long as the attacker knew the
location of the file and the user had read access to the file.

To exploit this vulnerability, an attacker would have to know the sign-on
name of the MSN Messenger user in order to send the request.

DETAILS

Affected Software:
 * Microsoft MSN Messenger 6.0 - <http://messenger.msn.com/> Download the
update

 * Microsoft MSN Messenger 6.1 - <http://messenger.msn.com/> Download the
update

Mitigating factors:
 * An attacker must know the sign-on name of the user

 * If the user has blocked receiving messages from anonymous users not on
their contact list by placing "All Others" in their block list, the
attacker's messenger account must be on the user's allow list to exploit
the vulnerability.

 * The attacker could access files that the user had read access to. If
the user is logged into the computer with restricted privileges this would
limit the files that the attacker could access.

What is the scope of the vulnerability?
This is an Information Disclosure vulnerability. An attacker who
exploited this vulnerability could view the contents of a file on the hard
drive without the user's knowledge if the attacker knew the exact location
of the file.

What causes the vulnerability?
A vulnerability results because of the method used by MSN Messenger to
handle a file request between two MSN Messenger accounts. The method used
to handle the request does not validate certain contents of the request
when creating the session.

What is MSN Messenger?
MSN Messenger is an instant messaging program that allows users to send
instant messages to each other, or create other peer to peer sessions such
as sharing voice, video, or sending files. More information about MSN
Messenger can be found at the following Web site.

What is Windows Messenger?
Windows Messenger is also an instant messaging program that allows similar
functionality to MSN Messenger. Windows XP comes with Windows Messenger,
which remains available even after MSN Messenger 6.1 is installed on a
computer. Windows Messenger can connect to the Communications Service and
Exchange Instant Messaging, which are only used in corporations. More
information about Windows Messenger can be found at the following Web
site.

Does the vulnerability apply to Windows Messenger as well?
No - the vulnerability is unique to the method of validating file requests
utilized by MSN Messenger.

What is wrong with the way that MSN Messenger handles file requests?
The vulnerability results from the way MSN Messenger validates a file
request. It is possible for an attacker to craft a request in such a way
that MSN Messenger could allow the request to view a file on the hard
drive.

Why does this pose a security vulnerability?
The vulnerability could provide a way for an attacker to view confidential
files or view user names or passwords, although the attacker would have no
way to edit or change the files.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could have read
access to any file the user had access to if the attacker knew the
location of the file. There would not be any indication to the user that
the attacker was attempting to read the files.

Who could exploit the vulnerability?
A user with MSN Messenger and the knowledge of a specific user sign-on
name could seek to exploit the vulnerability.

What does the update do?
The update removes the vulnerability by modifying the handling of file
requests by MSN Messenger.

ADDITIONAL INFORMATION

The information has been provided by qFox, Mephisto and Microsoft Product
Security.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[TOOL] EFC - Execution Flow Control"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]