Microsoft MSN messenger IP地址泄露漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1184177 漏洞类型 信息泄露
发布时间 2009-01-02 更新时间 2009-01-02
CVE编号 CVE-2008-5828 CNNVD-ID CNNVD-200901-023
漏洞平台 N/A CVSS评分 5.0
|漏洞来源
https://www.securityfocus.com/bid/84641
https://cxsecurity.com/issue/WLB-2009010118
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200901-023
|漏洞详情
MSNmessenger是Windows操作系统默认捆绑的即时消息聊天客户端。如果在NAT会话上使用了MSN协议版本15(MSNP15),WindowsLiveMessenger客户端允许远程攻击者通过读取Ipv4ExternalAddrsAndPorts、Ipv4InternalAddrsAndPorts头字段找到内部IP地址和端口号。在聊天会话期间MSN除了传送会话id、Cal等信息外,还会传送Ipv4ExternalAddrsAndPorts、Ipv4InternalAddrsAndPorts,分别代表公开的IP地址和会话者的私有IP地址及端口逻辑。以下是会话的全过程:MSNMSGR:aaaa@hotmail.itMSNSLP/1.0To:From:bbbbbb@hotmail.it>Via:MSNSLP/1.0/TLP;branch={D4CE435D-8C31-4D80-80EC-576A8294B3B3}CSeq:0Call-ID:{00000000-0000-0000-0000-000000000000}Max-Forwards:0Content-Type:application/x-msnmsgr-transudpswitchContent-Length:157IPv4ExternalAddrsAndPorts:79.2.165.233:3939IPv4InternalAddrsAndPorts:192.168.0.2:3939SessionID:729003413SChannelState:0Capabilities-Flags:1######A#########g#######g#######¶8»#############INVITEMSNMSGR:aaa@hotmail.itMSNSLP/1.0To:From:bbbb@hotmail.it>Via:MSNSLP/1.0/TLP;branch={31DB585D-3119-40AF-B02B-3D9BAEF32CD0}CSeq:0Call-ID:{9A68685A-1FCF-86A1-B639-BA769BA9B514}Max-Forwards:0Content-Type:application/x-msnmsgr-transreqbodyContent-Length:270Bridges:T
|漏洞EXP
MSN Messenger bug

Release Date:

10/12/2008

Versions Affected:

Msn messenger 8.5.1
-------------------------------
Description :

The protocol MSNP15 Windows Live Messenger Client 8.5.1 transmit to the
information on the IP address public and private. Everything happens
during a conversation that starts with you in our contacts list.

By analyzing the conversation with Wireshark can be noted that in
addition to passing the information, such as the sessionid, the Cal, the
Ringing, and also pass Ipv4ExternalAddrsAndPorts
Ipv4InternalAddrsAndPorts. Ipv4ExternalAddrsAndPorts indicates the
public IP address with its front door, Ipv4InternaladdrsAndPorts
indicates the private IP address and port logic of our interlocutor.
This happens because the server fails to properly manage the various NAT
Client. That is, the server should send its IP to another client and not
the client you are talking.

Here is a portion of the frame concerned:

MSNMSGR:aaaa (at) hotmail (dot) it [email concealed] MSNSLP/1.0
To: <msnmsgr:aaaa (at) hotmail (dot) it [email concealed]>
From: <msnmsgr:bbbbbb (at) hotmail (dot) it [email concealed]>
Via: MSNSLP/1.0/TLP ;branch={D4CE435D-8C31-4D80-80EC-576A8294B3B3}
CSeq: 0
Call-ID: {00000000-0000-0000-0000-000000000000}
Max-Forwards: 0
Content-Type: application/x-msnmsgr-transudpswitch
Content-Length: 157

IPv4ExternalAddrsAndPorts: 79.2.165.233:3939
IPv4InternalAddrsAndPorts: 192.168.0.2:3939
SessionID: 729003413
SChannelState: 0
Capabilities-Flags: 1

We can also note the whole party in the case where Bridge conduct a
summary of the fields of our interlocutor.
This is the second part of the frame concerned:
Bridge: TCPv1
Listening: true
Conn-Type: Port-Restrict-NAT
TCP-Conn-Type: Port-Restrict-NAT
Nonce: {2DA8E1E7-CD08-4200-8E62-C2263EAC2D36}
IPv4External-Addrs: 79.2.165.233
IPv4External-Port: 3973
IPv4Internal-Addrs: 192.168.0.2
IPv4Internal-Port: 3973
SessionID: 275007100
SChannelState: 0
Capabilities-Flags: 1

Here is the full frame of the conversation:

MSNMSGR:aaaa (at) hotmail (dot) it [email concealed] MSNSLP/1.0
To: <msnmsgr:aaaa (at) hotmail (dot) it [email concealed]>
From: <msnmsgr:bbbbbb (at) hotmail (dot) it [email concealed]>
Via: MSNSLP/1.0/TLP ;branch={D4CE435D-8C31-4D80-80EC-576A8294B3B3}
CSeq: 0
Call-ID: {00000000-0000-0000-0000-000000000000}
Max-Forwards: 0
Content-Type: application/x-msnmsgr-transudpswitch
Content-Length: 157

IPv4ExternalAddrsAndPorts: 79.2.165.233:3939
IPv4InternalAddrsAndPorts: 192.168.0.2:3939
SessionID: 729003413
SChannelState: 0
Capabilities-Flags: 1

######A#########g#######g#######?8?#############INVITE
MSNMSGR:aaa (at) hotmail (dot) it [email concealed] MSNSLP/1.0
To: <msnmsgr:aaaa (at) hotmail (dot) it [email concealed]>
From: <msnmsgr:bbbb (at) hotmail (dot) it [email concealed]>
Via: MSNSLP/1.0/TLP ;branch={31DB585D-3119-40AF-B02B-3D9BAEF32CD0}
CSeq: 0
Call-ID: {9A68685A-1FCF-86A1-B639-BA769BA9B514}
Max-Forwards: 0
Content-Type: application/x-msnmsgr-transreqbody
Content-Length: 270

Bridges: TRUDPv1 TCPv1 SBBridge TURNv1
NetID: -375061937
Conn-Type: Port-Restrict-NAT
TCP-Conn-Type: Port-Restrict-NAT
UPnPNat: true
ICF: false
Hashed-Nonce: {D8F5EEB9-2568-FAE8-9460-3FF8DB908381}
SessionID: 275007100
SChannelState: 0
Capabilities-Flags: 1

#####MSG 49 D 155
MIME-Version: 1.0
Content-Type: application/x-msnmsgrp2p
P2P-Dest: bbbb (at) hotmail (dot) it [email concealed]

####_??Eu########g#################A#?8?#g###########ACK 49
MSG 50 D 555
MIME-Version: 1.0
Content-Type: application/x-msnmsgrp2p
P2P-Dest: bbbb (at) hotmail (dot) it [email concealed]

####^??Eu########&#144;#######&#144;#######????H(############MSNSLP/1.0 200 OK
To: <msnmsgr:bbbbb (at) hotmail (dot) it [email concealed]>
From: <msnmsgr:aaaa (at) hotmail (dot) it [email concealed]>
Via: MSNSLP/1.0/TLP ;branch={31DB585D-3119-40AF-B02B-3D9BAEF32CD0}
CSeq: 1
Call-ID: {9A68685A-1FCF-86A1-B639-BA769BA9B514}
Max-Forwards: 0
Content-Type: application/x-msnmsgr-transrespbody
Content-Length: 83

Bridge: TCPv1
Listening: false
Nonce: {00000000-0000-0000-0000-000000000000}

#####ACK 50
MSG bbbb (at) hotmail (dot) it [email concealed] [c=28][i]BBBB[/i][/c] 143
MIME-Version: 1.0
Content-Type: application/x-msnmsgrp2p
P2P-Dest: aaa (at) hotmail (dot) it [email concealed]

######A#########################^??Eu????H(&#144;###########MSG bbbb (at) hotmail (dot) it [email concealed]
[c=28][i]BBB[/i][/c] 815
MIME-Version: 1.0
Content-Type: application/x-msnmsgrp2p
P2P-Dest: aaaa (at) hotmail (dot) it [email concealed]

######A######### ####### #######?e?#############INVITE
MSNMSGR:aaaa (at) hotmail (dot) it [email concealed] MSNSLP/1.0
To: <msnmsgr:aaa (at) hotmail (dot) it [email concealed]>
From: <msnmsgr:bbbb (at) hotmail (dot) it [email concealed]>
Via: MSNSLP/1.0/TLP ;branch={5BDF5F91-90FF-4C0F-ACA6-F65A9E30986C}
CSeq: 0
Call-ID: {9A68685A-1FCF-86A1-B639-BA769BA9B514}
Max-Forwards: 0
Content-Type: application/x-msnmsgr-transrespbody
Content-Length: 326

Bridge: TCPv1
Listening: true
Conn-Type: Port-Restrict-NAT
TCP-Conn-Type: Port-Restrict-NAT
Nonce: {2DA8E1E7-CD08-4200-8E62-C2263EAC2D36}
IPv4External-Addrs: 79.2.165.233
IPv4External-Port: 3973
IPv4Internal-Addrs: 192.168.0.2
IPv4Internal-Port: 3973
SessionID: 275007100
SChannelState: 0
Capabilities-Flags: 1
An attacker could have free access to the router or network situations
and commit illegal actions or damage other networks.

------------------------------------
Possible fix/workaround :
This bug could be resolved in Sever which operates the Nat Protocol
MSNP15 and possibly creating a new protocol that does not create
problems of this kind.

--------------------------------------
This bug was discovered using the software installed in Pidgin 2.2.0
Linux distribution Slackware 12.0, during the various conversations with
users who use Windows Live Messenger 8.1 and 8.5.

Please send suggestions or comments to:

carmelobrancato (at) libero (dot) it [email concealed]
|受影响的产品
Microsoft Windows Live Messenger 8.5 Microsoft Windows Live Messenger 8.1 Microsoft Windows Live Messenger 8.0
|参考资料

来源:BUGTRAQ
名称:20081229MSNmessengersendsIPaddressesPublicandPrivate
链接:http://www.securityfocus.com/archive/1/archive/1/499624/100/0/threaded
来源:SREASON
名称:4862
链接:http://securityreason.com/securityalert/4862