Re: /instmsg/alias/annoying_web_logs ;)

From: zeno (bugtraqat_private)
Date: Tue Oct 15 2002 - 07:10:46 PDT

Next message: Roland Postle: "Re: Hashes,File protection,etc"

Previous message: Rich Cower: "RE: Hashes,File protection,etc"
Next in thread: Elan Hasson: "RE: /instmsg/alias/annoying_web_logs ;)"
Next in thread: Tony: "Re: Hashes,File protection,etc"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> 
> 
> --=-JDGRKxNXGaJQ/wbvHyBY
> Content-Type: text/plain
> Content-Transfer-Encoding: quoted-printable
> 
> Exchange and MSN Messanger are the top leads so far. :> Someone install
> MSN Messanger and find out! (Doesn't ANYONE run that thing?) :>
> 
> -dave
> 


Here is a good question. we know it is sending GET requests to a webserver. I assume IIS must have
something setup to get queries and forward to the messaging client? What if IIS isn't installed does
something else answer it, if so what?

- zenoat_private




> 
> On Tue, 2002-10-15 at 10:05, zeno wrote:
> > >=20
> > > I get billions of these things too, its part of some MSN groups/chat=20
> > > thing, essentially it takes requests the "alias" of the email address=20
> > > (daveat_private =3D> /instmsg/alias/dave). Might be fun to send b=
> ack=20
> >=20
> > These things are damn annoying. I get probably 5 of these a day and 1 per=
> son keeps checking me every
> > few hours.=20
> >=20
> >=20
> > > some looooong responses ;) My favorites are all the ones that originate=
> =20
> > > from microsoft "tide" addresses... They send me some funny referrers fr=
> om=20
> > > their intranet servers once in a while too.
> > >=20
> >=20
> > Ha.=20
> >=20
> >=20
> > > ---
> > > "Immunity also gets a lot of requests for /instmsg/alias/dave, which=20
> > > doesn't exist. I'm curious what web client plugin causes this behavior.=
> =20
> > > And, I've noticed FrontPage makes PROPFIND, /_vti_bin/shtml.dll, and=20
> > > other FrontPage-style requests. Somewhere here I smell an exploitable=20
> > > client-side vulnerability."
> > > ---
> > >
> >=20
> >=20
> > I'm curious do we know this is MSN messanger? Anybody else know if AIM or=
>  another client sends
> > these requests?
> >=20
> > - zeno
> >=20
> > =20
> --=20
> Dave Aitel <daveat_private>
> Immunity, Inc
> 
> --=-JDGRKxNXGaJQ/wbvHyBY
> Content-Type: application/pgp-signature; name=signature.asc
> Content-Description: This is a digitally signed message part
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
> 
> iD8DBQA9rCF7B8JNm+PA+iURAvV/AKDxWhCZrGtmz9y3eyCSgab3DuO2uQCgq405
> U+FUmm26fv9Lk/nBbOYwcZE=
> =AFPz
> -----END PGP SIGNATURE-----
> 
> --=-JDGRKxNXGaJQ/wbvHyBY--
> 
>

Next message: Roland Postle: "Re: Hashes,File protection,etc"
Previous message: Rich Cower: "RE: Hashes,File protection,etc"
Next in thread: Elan Hasson: "RE: /instmsg/alias/annoying_web_logs ;)"
Next in thread: Tony: "Re: Hashes,File protection,etc"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Oct 15 2002 - 13:15:06 PDT