[NT] Vulnerability in MSN Messenger Allows Information Disclosure (MS04-010)

From: SecuriTeam (support_at_securiteam.com)
Date: 03/10/04

  • Next message: SecuriTeam: "[NT] Microsoft Outlook "mailto:" Parameter Passing Vulnerability (MS04-009)"
    To: list@securiteam.com
    Date: 10 Mar 2004 10:52:23 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Vulnerability in MSN Messenger Allows Information Disclosure (MS04-010)
    ------------------------------------------------------------------------

    SUMMARY

    A security vulnerability exists in Microsoft MSN Messenger. The
    vulnerability exists because of the method used by MSN Messenger to handle
    a file request. An attacker could exploit this vulnerability by sending a
    specially crafted request to a user running MSN Messenger. If exploited
    successfully, the attacker could view the contents of a file on the hard
    drive without the user's knowledge as long as the attacker knew the
    location of the file and the user had read access to the file.

    To exploit this vulnerability, an attacker would have to know the sign-on
    name of the MSN Messenger user in order to send the request.

    DETAILS

    Affected Software:
     * Microsoft MSN Messenger 6.0 - <http://messenger.msn.com/> Download the
    update

     * Microsoft MSN Messenger 6.1 - <http://messenger.msn.com/> Download the
    update

    Mitigating factors:
     * An attacker must know the sign-on name of the user

     * If the user has blocked receiving messages from anonymous users not on
    their contact list by placing "All Others" in their block list, the
    attacker's messenger account must be on the user's allow list to exploit
    the vulnerability.

     * The attacker could access files that the user had read access to. If
    the user is logged into the computer with restricted privileges this would
    limit the files that the attacker could access.

    What is the scope of the vulnerability?
    This is an Information Disclosure vulnerability. An attacker who
    exploited this vulnerability could view the contents of a file on the hard
    drive without the user's knowledge if the attacker knew the exact location
    of the file.

    What causes the vulnerability?
    A vulnerability results because of the method used by MSN Messenger to
    handle a file request between two MSN Messenger accounts. The method used
    to handle the request does not validate certain contents of the request
    when creating the session.

    What is MSN Messenger?
    MSN Messenger is an instant messaging program that allows users to send
    instant messages to each other, or create other peer to peer sessions such
    as sharing voice, video, or sending files. More information about MSN
    Messenger can be found at the following Web site.

    What is Windows Messenger?
    Windows Messenger is also an instant messaging program that allows similar
    functionality to MSN Messenger. Windows XP comes with Windows Messenger,
    which remains available even after MSN Messenger 6.1 is installed on a
    computer. Windows Messenger can connect to the Communications Service and
    Exchange Instant Messaging, which are only used in corporations. More
    information about Windows Messenger can be found at the following Web
    site.

    Does the vulnerability apply to Windows Messenger as well?
    No - the vulnerability is unique to the method of validating file requests
    utilized by MSN Messenger.

    What is wrong with the way that MSN Messenger handles file requests?
    The vulnerability results from the way MSN Messenger validates a file
    request. It is possible for an attacker to craft a request in such a way
    that MSN Messenger could allow the request to view a file on the hard
    drive.

    Why does this pose a security vulnerability?
    The vulnerability could provide a way for an attacker to view confidential
    files or view user names or passwords, although the attacker would have no
    way to edit or change the files.

    What might an attacker use the vulnerability to do?
    An attacker who successfully exploited this vulnerability could have read
    access to any file the user had access to if the attacker knew the
    location of the file. There would not be any indication to the user that
    the attacker was attempting to read the files.

    Who could exploit the vulnerability?
    A user with MSN Messenger and the knowledge of a specific user sign-on
    name could seek to exploit the vulnerability.

    What does the update do?
    The update removes the vulnerability by modifying the handling of file
    requests by MSN Messenger.

    ADDITIONAL INFORMATION

    The information has been provided by qFox, Mephisto and Microsoft Product
    Security.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NT] Microsoft Outlook "mailto:" Parameter Passing Vulnerability (MS04-009)"

    Relevant Pages