Windows Security Tutorials - Herong's Tutorial Examples - v3.01, by Dr. Herong Yang
MS08-001 Vulnerability Explanation by Microsoft
This section describes explanation of the MS08-001 Vulnerability. A system is vulnerable to IGMP attacks if it joins a multicast group other than the all hosts multicast group, 224.0.0.1.
After playing with the "netsh" commands and my "MulticastListener.java" test program, now I think I understand the explanation given in the Microsoft announcement: MS08-001: Vulnerability in TCP/IP could allow remote code execution.
According to this announcement, Windows systems is using the following code:
} else { // If all-hosts address, ignore it if (IP_ADDR_EQUAL(IQH->igh_addr, ALL_HOST_MCAST)) { DEBUGMSG(DBG_WARN && DBG_IGMP, (DTEXT("Dropping IGMPv3 query for the All-Hosts group\n"))); return; }
If your computer joins only the all hosts multicast group, 224.0.0.1, your computer is safe, or not vulnerable, to IGMP (Internet Group Management Protocol) attacks, because all queries send to the all hosts multicast group, will be ignored.
If your computer joins multicast groups other than the all hosts multicast group, 224.0.0.1, your computer is not safe, or vulnerable, to IGMP attacks.
Two examples were listed in the MS08-001 Vulnerability announcement:
Example 1 - The following Windows system is safe because it joins only the all hosts multicast group, 224.0.0.1:
C:\>netsh int ip show joins Interface Addr Multicast Group --------------- --------------- 10.1.1.1 224.0.0.1
Example 2 - The following Windows system is not safe because it joins a non all hosts multicast group, 224.0.0.24, to support WINS (Windows Internet Name Service)
C:\>netsh int ip show joins Interface Addr Multicast Group --------------- --------------- 10.1.1.1 224.0.0.1 10.1.1.1 224.0.1.24
But what happens if an application joins a multicast group other than 224.0.0.1? It the system/application vulnerable to IGMP attacks in this case?
For example, a JBOSS application can join a multicast group at 224.0.0.75 for cluster replication. Is this JBOSS application vulnerable to IGMP attacks?
Table of Contents
About This Windows Security Book
Windows 8: System Security Review
Windows 8: System Security Protection
Windows 8 Defender for Real-Time Protection
Windows 7: System Security Review
Windows 7: System Security Protection
Windows 7 Forefront Client Security
Norton Power Eraser - Anti-Virus Scan Tool
McAfee Virus and Malware Protection Tools
Spybot - Spyware Blocker, Detection and Removal
Keeping IE (Internet Explorer) Secure
Malware (Adware, Spyware, Trojan, Worm, and Virus)
HijackThis - Browser Hijacker Diagnosis Tool
IE Add-on Program Listing and Removal
"Conduit Search" - Malware Detection and Removal
"Tube Dimmer", "Scorpion Saver" or "Adpeak" Malware
Malware Manual Removal Experience
Vundo (VirtuMonde/VirtuMundo) - vtsts.dll Removal
Trojan and Malware "Puper" Description and Removal
VSToolbar (VSAdd-in.dll) - Description and Removal
PWS (Password Stealer) Trojan Infection Removal
►MS08-001 Vulnerability on Windows Systems
MS08-001 - Vulnerability in TCP/IP
IP Multicast and IP Address Range
"netsh" Commands for Interface IP
224.0.0.1 - The All Hosts Multicast Group
MulticastListener.java - A Simple Multicast Listener Program
All Hosts Multicast Group, 224.0.0.1, on Vista Systems