- 注册
- 2002-10-12
- 消息
- 47,114
- 荣誉分数
- 2,376
- 声望点数
- 393
MSN Messenger bug
Release Date:
20/11/03
Discovery date:
Sometime around 2001 or 2000
Versions Affected:
------------------
Msn messenger 1.0 -> msn messenger 6.0.0602
Windows messenger all versions
Not Affected:
------------
Msn Messenger 6.1, trillian, gaim
Description:
-----------
A bug exists in Microsofts msn messenger client.
MSN messenger improperly parses the fields during
file transfer invitation requests. Particularly
the request ip field. This makes it possible to
trick the msn client into giving *away* the users
ip address without him/her accepting the file
transfer first.
The bug happens when a specially crafted MSG requests
are issued to the switchboard server and then
relayed onto the client. Upon receiving each
request from the switchboard the client seems
to incorrectly process the Ip-Address field
without first waiting for userB to accept the
file that is being attempted to be sent. It seems
the reason for this bug is that the msn client
seems to unsafelly depend on client of userB to send the
sequences and fields in those sequences in the
order in which is expected. A malicious user however
could construct a program that sends them in the
incorrect order and requests userB for the ip
address before userB asks userA for its ip address
and userBs client will falselly hand out the ip
address. This circumvents the whole thing and
allows us to invade the users privacy by handing
out such sensitive info.
http://packetstormsecurity.nl/0311-exploits/msnbug.txt
Release Date:
20/11/03
Discovery date:
Sometime around 2001 or 2000
Versions Affected:
------------------
Msn messenger 1.0 -> msn messenger 6.0.0602
Windows messenger all versions
Not Affected:
------------
Msn Messenger 6.1, trillian, gaim
Description:
-----------
A bug exists in Microsofts msn messenger client.
MSN messenger improperly parses the fields during
file transfer invitation requests. Particularly
the request ip field. This makes it possible to
trick the msn client into giving *away* the users
ip address without him/her accepting the file
transfer first.
The bug happens when a specially crafted MSG requests
are issued to the switchboard server and then
relayed onto the client. Upon receiving each
request from the switchboard the client seems
to incorrectly process the Ip-Address field
without first waiting for userB to accept the
file that is being attempted to be sent. It seems
the reason for this bug is that the msn client
seems to unsafelly depend on client of userB to send the
sequences and fields in those sequences in the
order in which is expected. A malicious user however
could construct a program that sends them in the
incorrect order and requests userB for the ip
address before userB asks userA for its ip address
and userBs client will falselly hand out the ip
address. This circumvents the whole thing and
allows us to invade the users privacy by handing
out such sensitive info.
http://packetstormsecurity.nl/0311-exploits/msnbug.txt
