Possible hole in Win XP MS Client networking

From: Daniel Swarbrick (daniel@pressure.net.nz)
Date: 12/25/01 

From: "Daniel Swarbrick" <daniel@pressure.net.nz>
To: <bugtraq@securityfocus.com>
Date: Tue, 25 Dec 2001 18:09:02 +1300

Hi, I hope this is the correct contact for this kind of thing.

I've just had somebody drop Nimda viruses on my Windows XP Pro
workstation from Korea. Here's how it happened.

I had a Windows share on a FAT32 drive, which granted read/write to
Everybody (I know, bad practice, but it was just a temporary "Incoming"
directory from a file swap session with a friend a few nights ago). I
noticed my modem lights going, even though I was not downloading
anything at the time. At that moment, Norton Antivirus started popping
up warnings about Nimda viruses in .EML files in the shared directory. I
suspected my friend's files had come with a little extra bonus, so went
to check the directory myself. I couldn't find more than one .EML file
at a time (as NAV kept moving them to quarantine), but new ones kept
arriving. That's when I clicked as to what was happening, and ran
netstat from a DOS window.

Netstat revealed an ESTABLISHED connection from a host in Korea to the
microsoft-ds service on my machine. It also showed a TIME_WAIT
connection to windowsupdate.microsoft.com, although I had not been to
that site - possibly unrelated, as Windows does tend to phone home a
bit. Anyway, I promptly stopped sharing the directory, and disconnected
from the Internet, reconnecting in order to get a new IP.

I then checked my network configuration, and double checked that Client
for Microsoft Networks was not bound to my modem, which indeed it
wasn't. Now I don't run the XP firewall for my dialup connection, but
how is it that a connection can be made to a service that is not bound
to the dialup adapter?

Is this a hole? Can you guys perhaps replicate the condition and see if
it is? My machine has all the current critical updates applied from
Windows update.

Any other information you might need, I will try to supply.

Relevant Pages

  • Re: PPPoE
    ... The Windows driver README ... Installing the PPP over Ethernet Protocol ... Connection Sharing, ...
    (freebsd-net)
  • RE: Windows 2000 RRAS and ipSEC /L2TP VPN
    ... How to Configure a L2TP/IPSec Connection Using Pre-shared Key Authentication ... This article contains information about modifying the registry. ... , Windows 2000 is compliant with IKE RFC ...
    (microsoft.public.win2000.networking)
  • Re: Cannot connect to the Internet
    ... My Windows 2000 pro PC is connected to the internet (Local Area ... Connection 2 Status icon shows "Connected" with a speed of 10.0 ... The master browser has received a server announcement from ... The DNS Client service could not contact any DNS servers ...
    (microsoft.public.mac.virtualpc)
  • Re: Windows Update
    ... Open the explorer (Windows Explorer or My Computer), ... menu and select the Folder options. ... Click Services tab and select Hide All Microsoft Services and Disable ... size of a PPPoE connection to a value of between 1,400 and 1,480 ...
    (microsoft.public.windows.server.sbs)
  • Re: Serious Security Issue in Windows XP SP2s Firewall
    ... Subject: AW: Serious Security Issue in Windows XP SP2's Firewall ... If you update a WinXP SP-1 with enabled Internet ... Connection Firewall ...
    (Focus-Microsoft)