MS08-001 Vulnerability Explanation by Microsoft

This section describes explanation of the MS08-001 Vulnerability. A system is vulnerable to IGMP attacks if it joins a multicast group other than the all hosts multicast group, 224.0.0.1.

After playing with the "netsh" commands and my "MulticastListener.java" test program, now I think I understand the explanation given in the Microsoft announcement: MS08-001: Vulnerability in TCP/IP could allow remote code execution.

According to this announcement, Windows systems is using the following code:

} else {
// If all-hosts address, ignore it
if (IP_ADDR_EQUAL(IQH->igh_addr, ALL_HOST_MCAST)) {
DEBUGMSG(DBG_WARN && DBG_IGMP,
(DTEXT("Dropping IGMPv3 query for the All-Hosts group\n")));
return;
}

If your computer joins only the all hosts multicast group, 224.0.0.1, your computer is safe, or not vulnerable, to IGMP (Internet Group Management Protocol) attacks, because all queries send to the all hosts multicast group, will be ignored.

If your computer joins multicast groups other than the all hosts multicast group, 224.0.0.1, your computer is not safe, or vulnerable, to IGMP attacks.

Two examples were listed in the MS08-001 Vulnerability announcement:

Example 1 - The following Windows system is safe because it joins only the all hosts multicast group, 224.0.0.1:

C:\>netsh int ip show joins

Interface Addr   Multicast Group
---------------  ---------------
10.1.1.1         224.0.0.1

Example 2 - The following Windows system is not safe because it joins a non all hosts multicast group, 224.0.0.24, to support WINS (Windows Internet Name Service)

C:\>netsh int ip show joins

Interface Addr   Multicast Group
---------------  ---------------
10.1.1.1         224.0.0.1
10.1.1.1 	 224.0.1.24

But what happens if an application joins a multicast group other than 224.0.0.1? It the system/application vulnerable to IGMP attacks in this case?

For example, a JBOSS application can join a multicast group at 224.0.0.75 for cluster replication. Is this JBOSS application vulnerable to IGMP attacks?

Last update: 2008.

Table of Contents

 About This Windows Security Book

 Windows 8: System Security Review

 Windows 8: System Security Protection

 Windows 8 System Recovery

 Windows 8 Defender for Real-Time Protection

 Windows 7: System Security Review

 Windows 7: System Security Protection

 Windows 7 System Recovery

 Windows 7 Forefront Client Security

 Norton Power Eraser - Anti-Virus Scan Tool

 McAfee Virus and Malware Protection Tools

 Spybot - Spyware Blocker, Detection and Removal

 Keeping Firefox Secure

 Keeping IE (Internet Explorer) Secure

 Malware (Adware, Spyware, Trojan, Worm, and Virus)

 HijackThis - Browser Hijacker Diagnosis Tool

 IE Add-on Program Listing and Removal

 "Conduit Search" - Malware Detection and Removal

 "Tube Dimmer", "Scorpion Saver" or "Adpeak" Malware

 Malware Manual Removal Experience

 Vundo (VirtuMonde/VirtuMundo) - vtsts.dll Removal

 Trojan and Malware "Puper" Description and Removal

 VSToolbar (VSAdd-in.dll) - Description and Removal

 PWS (Password Stealer) Trojan Infection Removal

MS08-001 Vulnerability on Windows Systems

 MS08-001 - Vulnerability in TCP/IP

 IP Multicast and IP Address Range

 "netsh" Commands for Interface IP

 224.0.0.1 - The All Hosts Multicast Group

 MulticastListener.java - A Simple Multicast Listener Program

 All Hosts Multicast Group, 224.0.0.1, on Vista Systems

MS08-001 Vulnerability Explanation by Microsoft

 Antivirus System PRO

 References

 PDF Printing Version