Part 3 of our MS08-001 blog post series mentioned that Windows Server 2003 does not expose an attack vector to the vulnerable IGMP code execution vulnerability by default. Windows XP and Vista enable UPnP (Universal Plug-and-Play) which exposes an attack vector to the vulnerable code but Windows Server 2003 does not enable UPnP. As a result, the WS03 machine will ignore IGMP messages received from the network.
We have received a few questions about Windows Server 2003’s exposure to the IGMP vulnerability.
Question 1: By default, Win2k3 server joins to multicast group 224.0.0.1. Does it mean that Win2K3 is vulnerable by default? And the rating in MSRC bulletin is wrong?
Answer: The bulletin rating is correct. Win2k3 server is not vulnerable to IGMP issue when it only joins to 224.0.0.1.
Observe the netsh command output on a default configuration of Win2K3 server:
>netsh int ip show joins
Interface Addr Multicast Group
-————– —————
10.1.1.1 224.0.0.1
224.0.0.1 is all hosts on the subnet. The reason that win2k3 server is not vulnerable despite being joined to 224.0.0.1 is because Windows ignores IGMP queries to that address. Here’s the actual code:
} else {
// If all-hosts address, ignore it
if (IP_ADDR_EQUAL(IQH->igh_addr, ALL_HOST_MCAST)) {
DEBUGMSG(DBG_WARN && DBG_IGMP,
(DTEXT(“Dropping IGMPv3 query for the All-Hosts group\n”)));
return;
}
Question 2: How can I tell whether my Windows Server 2003 machine is vulnerable?
Answer: If the server joins to any multicast group other than 224.0.0.1, then it is vulnerable to IGMP attack.
Using the following netsh command will show the multicast groups to which the machine is joined.
netsh int ip show joins
For example, if the WINS component is enabled in Win2k3 server, the output of the netsh command above would be:
Interface Addr Multicast Group
-————– —————
10.1.1.1 224.0.0.1
10.1.1.1 224.0.1.24
224.0.1.24 is IP multicast group for WINS. The configuration above (if unpatched) is vulnerable to the IGMP attack.
Question 3: Even if a server is not joined to a multicast group other than 224.0.0.1, could it still be affected if an attacker sent a *unicast* IGMP packet?
Answer: No. Though the host would receive the unicast IGMP packet, valid multicast address needs to be contained in IGMP query payload so the packet would be ignored.