Author Topic: NULL Session vulnerabilities  (Read 4621 times)

0 Members and 1 Guest are viewing this topic.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
NULL Session vulnerabilities
« on: July 08, 2005, 09:44:51 am »
NULL sessions are a Windows thing that lets any user connect to your Windows system without credentials and view certain information.  Here's some information about a specific vulnerability related to NULL sessions and allowing anonymous users to view active services and event log entries:

Quote
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

      NULL sessions vulnerabilities using alternate named pipes


        Hervé Schauer Consultants Security Advisory
                http://www.hsc.fr/


- -[ Summary ]-

         Advisory: NULL sessions vulnerabilities using alternate named pipes
   CVE identifier: CAN-2005-2150
     Release date: 2005/07/07
 Affected systems: Windows NT 4.0, Windows 2000
    Vendor status: Windows 2000 fixes available in URP1 for Windows 2000 SP4
           Author: Jean-Baptiste Marchand <Jean-Baptiste.Marchand@hsc.fr>
       References: http://www.hsc.fr/ressources/presentations/null_sessions/


- -[ Affected systems ]-

 - Windows NT 4.0
 - Windows 2000 (prior to URP1 for Windows 2000 SP4)

Windows XP and Windows Server 2003 are not directly affected by the
vulnerabilities described in this document.

Still, the alternate named pipes technique also applies to Windows XP and
Windows Server 2003, including Windows XP SP2 and Windows Server 2003 SP1.

- -[ History ]-

2004/01/23: vulnerability reported to vendor
 
 2004/02/12: vendor announces its intention to release fixes as part of the next
             Windows 2000 Service Pack

 2004/09/09: a related vulnerability affecting Windows XP SP2 is published

 2005/02/08: release of MS05-007, fixing a specific instance of a similar
             vulnerability in Windows XP and Windows XP SP2

 2005/02/28: private versions of Windows 2000 fixes available for test

 2005/03/30: confirmation that tested fixes correct the vulnerability

 2005/06/28: release of URP1 for Windows 2000 SP4, which includes fixes for
             Windows 2000
 

- -[ Overview ]-

By taking advantage of hardcoded named pipes allowed for NULL sessions and using
the property of MSRPC that, by default, all available RPC interfaces in a
process can be reached using any opened endpoint, it is possible to:

 - anonymously enumerate Windows services of a remote Windows NT 4.0 or Windows
   2000 system (svcctl vulnerability)

 - anonymously read the Application and System eventlogs of a remote Windows NT
   4.0 or Windows 2000 system (eventlog vulnerability)


- -[ svcctl vulnerability details ]-

The svcctl MSRPC interface is used to communicate with the Windows SCM (Service
Control Manager):

 http://www.hsc.fr/ressources/articles/win_net_srv/ch04s07s09.html

The svcctl vulnerability allows an anonymous user to connect to the SCM (Service
Control Manager). It is then possible to enumerate installed or running
services:

 http://www.hsc.fr/ressources/presentations/null_sessions/img16.html


Depending on the security descriptor protecting each service (stored in binary
under the Security registry subkey of each service's subkey), it might be
possible to anonymously start or even stop a Windows service.

Because in Windows NT 4.0 and Windows 2000, the EVERYONE group contains the
ANONYMOUS LOGON SID, a service with a weak DACL allowing members of the EVERYONE
group to start (or stop) the service can be remotely started or stopped
anonymously.

For more information about services permissions, see

 http://cert.uni-stuttgart.de/archive/bugtraq/2004/10/msg00159.html



- -[ eventlog vulnerability details ]-

The eventlog MSRPC interface is used to communicate with the Windows eventlog
service:

 http://www.hsc.fr/ressources/articles/win_net_srv/ch04s07s06.html

The eventlog vulnerability can be used to anonymously read either the
Application or System eventlog of a remote Windows NT 4.0 or Windows 2000
system.

It is not possible to read the Security eventlog because a specific Windows
privilege must be held by the caller process (SeSecurityPrivilege).


- -[ Workaround ]-

Both vulnerabilities are fixed in the URP1 for Windows 2000 SP4 recently
released by the vendor:

 http://support.microsoft.com/kb/900345/


The svcctl vulnerability was fixed by modifying the SCM DACL (enforced when the
OpenSCManager{A,W} operation is used), denying access for the ANONYMOUS LOGON
SID.

The eventlog vulnerability was fixed by using a RPC callback function for the
eventlog interface, to reject unauthenticated binds.


It is also possible to protect against the eventlog vulnerability by adding and
setting to 1 the RestrictGuestAccess registry value, under the following two
registry keys:

 HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\

 HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System\

In Windows 2000, the RestrictGuestAccess value can be set using the following
security options:

 - Restrict guest access to application log
 - Restrict guest access to system log

These settings are mentionned in the following article:

 http://support.microsoft.com/kb/842209


It is recommended to set these registry values on Windows NT 4.0 systems, where
no other workaround is available.


- -[ Vulnerability assessment ]-

Plugins for the Nessus vulnerability scanner are available to discover
vulnerable hosts:

svcctl vulnerability:

 http://www.nessus.org/plugins/index.php?view=single&id=18585

eventlog vulnerability:

 http://www.nessus.org/plugins/index.php?view=single&id=18602


- -[ References ]-

For more information, see the following documents:

 - MSRPC null sessions: exploitation and protection

  http://www.hsc.fr/ressources/presentations/null_sessions/

 - Windows network services internals

  http://www.hsc.fr/ressources/articles/win_net_srv/


- -[ Credits ]-

These vulnerabilities were discovered by Jean-Baptiste Marchand, with the help
of Hervé Schauer Consultants team.


- -[ Copyright ]-

The contents of this advisory are copyright (c) 2005 Hervé Schauer Consultants
and may be distributed freely provided that no fee is charged for this
distribution and proper credit is given.

- -[ PGP key ]-

 http://www.hsc.fr/~marchand/marchand.asc

 pub   1024D/456EBCD4 2003-02-25
 Key fingerprint = F360 8D66 5AD1 AD17 1941  D14F D0F0 EA74 456E BCD4

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)

iD8DBQFCzOpm0PDqdEVuvNQRAgJPAJ0aK/uD9n/2U8qO8od+sgHmIbuVpgCg1Xgq
rztKIps8npljcawk6PgJzNs=
=97XV
-----END PGP SIGNATURE-----

Don't forget to note Microsoft's 18-month turnaround.

Offline MyndFyre

  • Boticulator Extraordinaire
  • x86
  • Hero Member
  • *****
  • Posts: 4540
  • The wait is over.
    • View Profile
    • JinxBot :: the evolution in boticulation
Re: NULL Session vulnerabilities
« Reply #1 on: July 08, 2005, 11:01:07 am »
Windows XP and Windows Server 2003 are not directly affected by the
vulnerabilities described in this document.
I have a programming folder, and I have nothing of value there

Running with Code has a new home!

Our species really annoys me.

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: NULL Session vulnerabilities
« Reply #2 on: July 08, 2005, 01:30:36 pm »
Quote
Still, the alternate named pipes technique also applies to Windows XP and
Windows Server 2003, including Windows XP SP2 and Windows Server 2003 SP1.
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline MyndFyre

  • Boticulator Extraordinaire
  • x86
  • Hero Member
  • *****
  • Posts: 4540
  • The wait is over.
    • View Profile
    • JinxBot :: the evolution in boticulation
Re: NULL Session vulnerabilities
« Reply #3 on: July 08, 2005, 01:42:01 pm »
Quote
Still, the alternate named pipes technique also applies to Windows XP and
Windows Server 2003, including Windows XP SP2 and Windows Server 2003 SP1.

Hehehe yeah I saw that too, and was thinking, "I wonder if anyone will notice that."  ;)
I have a programming folder, and I have nothing of value there

Running with Code has a new home!

Our species really annoys me.

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: NULL Session vulnerabilities
« Reply #4 on: July 08, 2005, 06:06:06 pm »
Hehehe yeah I saw that too, and was thinking, "I wonder if anyone will notice that."  ;)

Now we all know where Newbfyre gets his intelligence from. ;)

I wonder if the other kids at school make fun of him 'cuz he's the result of the anal birth project... ???
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline MyndFyre

  • Boticulator Extraordinaire
  • x86
  • Hero Member
  • *****
  • Posts: 4540
  • The wait is over.
    • View Profile
    • JinxBot :: the evolution in boticulation
Re: NULL Session vulnerabilities
« Reply #5 on: July 09, 2005, 10:44:48 am »
Hehehe yeah I saw that too, and was thinking, "I wonder if anyone will notice that."  ;)

Now we all know where Newbfyre gets his intelligence from. ;)

I wonder if the other kids at school make fun of him 'cuz he's the result of the anal birth project... ???

Just remember that it was your ass, not mine.
I have a programming folder, and I have nothing of value there

Running with Code has a new home!

Our species really annoys me.