Pretty crazy that we're closer to 2030, than we are 2005. Where did the time go!
0 Members and 1 Guest are viewing this topic.
-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA1 NULL sessions vulnerabilities using alternate named pipes Hervé Schauer Consultants Security Advisory http://www.hsc.fr/- -[ Summary ]- Advisory: NULL sessions vulnerabilities using alternate named pipes CVE identifier: CAN-2005-2150 Release date: 2005/07/07 Affected systems: Windows NT 4.0, Windows 2000 Vendor status: Windows 2000 fixes available in URP1 for Windows 2000 SP4 Author: Jean-Baptiste Marchand <Jean-Baptiste.Marchand@hsc.fr> References: http://www.hsc.fr/ressources/presentations/null_sessions/- -[ Affected systems ]- - Windows NT 4.0 - Windows 2000 (prior to URP1 for Windows 2000 SP4)Windows XP and Windows Server 2003 are not directly affected by thevulnerabilities described in this document.Still, the alternate named pipes technique also applies to Windows XP andWindows Server 2003, including Windows XP SP2 and Windows Server 2003 SP1.- -[ History ]- 2004/01/23: vulnerability reported to vendor 2004/02/12: vendor announces its intention to release fixes as part of the next Windows 2000 Service Pack 2004/09/09: a related vulnerability affecting Windows XP SP2 is published 2005/02/08: release of MS05-007, fixing a specific instance of a similar vulnerability in Windows XP and Windows XP SP2 2005/02/28: private versions of Windows 2000 fixes available for test 2005/03/30: confirmation that tested fixes correct the vulnerability 2005/06/28: release of URP1 for Windows 2000 SP4, which includes fixes for Windows 2000 - -[ Overview ]-By taking advantage of hardcoded named pipes allowed for NULL sessions and usingthe property of MSRPC that, by default, all available RPC interfaces in aprocess can be reached using any opened endpoint, it is possible to: - anonymously enumerate Windows services of a remote Windows NT 4.0 or Windows 2000 system (svcctl vulnerability) - anonymously read the Application and System eventlogs of a remote Windows NT 4.0 or Windows 2000 system (eventlog vulnerability)- -[ svcctl vulnerability details ]-The svcctl MSRPC interface is used to communicate with the Windows SCM (ServiceControl Manager): http://www.hsc.fr/ressources/articles/win_net_srv/ch04s07s09.htmlThe svcctl vulnerability allows an anonymous user to connect to the SCM (ServiceControl Manager). It is then possible to enumerate installed or runningservices: http://www.hsc.fr/ressources/presentations/null_sessions/img16.htmlDepending on the security descriptor protecting each service (stored in binaryunder the Security registry subkey of each service's subkey), it might bepossible to anonymously start or even stop a Windows service.Because in Windows NT 4.0 and Windows 2000, the EVERYONE group contains theANONYMOUS LOGON SID, a service with a weak DACL allowing members of the EVERYONEgroup to start (or stop) the service can be remotely started or stoppedanonymously. For more information about services permissions, see http://cert.uni-stuttgart.de/archive/bugtraq/2004/10/msg00159.html- -[ eventlog vulnerability details ]-The eventlog MSRPC interface is used to communicate with the Windows eventlogservice: http://www.hsc.fr/ressources/articles/win_net_srv/ch04s07s06.htmlThe eventlog vulnerability can be used to anonymously read either theApplication or System eventlog of a remote Windows NT 4.0 or Windows 2000system.It is not possible to read the Security eventlog because a specific Windowsprivilege must be held by the caller process (SeSecurityPrivilege).- -[ Workaround ]-Both vulnerabilities are fixed in the URP1 for Windows 2000 SP4 recentlyreleased by the vendor: http://support.microsoft.com/kb/900345/The svcctl vulnerability was fixed by modifying the SCM DACL (enforced when theOpenSCManager{A,W} operation is used), denying access for the ANONYMOUS LOGONSID.The eventlog vulnerability was fixed by using a RPC callback function for theeventlog interface, to reject unauthenticated binds.It is also possible to protect against the eventlog vulnerability by adding andsetting to 1 the RestrictGuestAccess registry value, under the following tworegistry keys: HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\ HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System\In Windows 2000, the RestrictGuestAccess value can be set using the followingsecurity options: - Restrict guest access to application log - Restrict guest access to system logThese settings are mentionned in the following article: http://support.microsoft.com/kb/842209It is recommended to set these registry values on Windows NT 4.0 systems, whereno other workaround is available.- -[ Vulnerability assessment ]-Plugins for the Nessus vulnerability scanner are available to discovervulnerable hosts:svcctl vulnerability: http://www.nessus.org/plugins/index.php?view=single&id=18585eventlog vulnerability: http://www.nessus.org/plugins/index.php?view=single&id=18602- -[ References ]-For more information, see the following documents: - MSRPC null sessions: exploitation and protection http://www.hsc.fr/ressources/presentations/null_sessions/ - Windows network services internals http://www.hsc.fr/ressources/articles/win_net_srv/- -[ Credits ]-These vulnerabilities were discovered by Jean-Baptiste Marchand, with the helpof Hervé Schauer Consultants team.- -[ Copyright ]-The contents of this advisory are copyright (c) 2005 Hervé Schauer Consultantsand may be distributed freely provided that no fee is charged for thisdistribution and proper credit is given.- -[ PGP key ]- http://www.hsc.fr/~marchand/marchand.asc pub 1024D/456EBCD4 2003-02-25 Key fingerprint = F360 8D66 5AD1 AD17 1941 D14F D0F0 EA74 456E BCD4-----BEGIN PGP SIGNATURE-----Version: GnuPG v1.4.0 (FreeBSD)iD8DBQFCzOpm0PDqdEVuvNQRAgJPAJ0aK/uD9n/2U8qO8od+sgHmIbuVpgCg1XgqrztKIps8npljcawk6PgJzNs==97XV-----END PGP SIGNATURE-----
Windows XP and Windows Server 2003 are not directly affected by thevulnerabilities described in this document.
I have a programming folder, and I have nothing of value there
Our species really annoys me.
Still, the alternate named pipes technique also applies to Windows XP andWindows Server 2003, including Windows XP SP2 and Windows Server 2003 SP1.
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz[17:32:54] * xar sets mode: +o newby[17:32:58] <xar> new rule[17:33:02] <xar> me and newby rule all
Quote from: CrAz3D on June 30, 2008, 10:38:22 amI'd bet that you're currently bloated like a water ballon on a hot summer's day.That analogy doesn't even make sense. Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT.
I'd bet that you're currently bloated like a water ballon on a hot summer's day.
QuoteStill, the alternate named pipes technique also applies to Windows XP andWindows Server 2003, including Windows XP SP2 and Windows Server 2003 SP1.
Hehehe yeah I saw that too, and was thinking, "I wonder if anyone will notice that."
Quote from: MyndFyre[x86] on July 08, 2005, 01:42:01 pmHehehe yeah I saw that too, and was thinking, "I wonder if anyone will notice that." Now we all know where Newbfyre gets his intelligence from. I wonder if the other kids at school make fun of him 'cuz he's the result of the anal birth project...
