Re: NULL sessions on Windows 2000 systems [Was: Re: [Full-disclosure] Re:It's not that simple...]
From: yossarian (yossarian_at_planet.nl)
Date: 08/18/05
- Previous message: h4cky0u: "[Full-disclosure] Re: ATutor 1.5.1 and prior multiple XSS Vulnerabilities"
- In reply to: Jean-Baptiste Marchand: "NULL sessions on Windows 2000 systems [Was: Re: [Full-disclosure] Re: It's not that simple...]"
- Next in thread: Florian Weimer: "Re: [Full-disclosure] Re: It's not that simple..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 18 Aug 2005 15:59:45 +0200 To: Jean-Baptiste Marchand <jbm.lists@gmail.com>, full-disclosure@lists.grok.org.uk
You imply with 'hard-coded' that removing them from the registry does not
help. This is new to me? Can you plz. elaborate?
----- Original Message -----
From: "Jean-Baptiste Marchand" <jbm.lists@gmail.com>
To: <full-disclosure@lists.grok.org.uk>
Sent: Thursday, August 18, 2005 9:58 AM
Subject: NULL sessions on Windows 2000 systems [Was: Re: [Full-disclosure]
Re:It's not that simple...]
>* yossarian <yossarian@planet.nl>:
>
>> In the original X-Force paper named pipes were mentioned besides Null
>> Sessions. Does it need both or either one - the paper isn't clear on
>> this?
>> The named pipes seem to have dropped from all discussion.... Anyway,
>> never
>> broke anything by disabling them, either. This is a registry hack
>> described
>> in the MS Hardening guides for 2000 and 2003 server. Just like Null
>> sessions. Elsewhere dunno, but probably, never bothered.
>
> A NULL session usually refers to an anonymous connection to the IPC$
> share, giving remote access to named pipes.
>
> Some named pipes can be opened anonymously (these named pipes appear in
> the NullSessionPipes registry value), i.e. in the context of a NULL
> session.
>
> In addition, 6 named pipes are harcoded in Windows 2000 and can always
> be opened anonymously:
>
> http://www.hsc.fr/ressources/presentations/null_sessions/img7.html
>
> The recent PnP vulnerability (MS05-039) can be anonymously exploited on
> Windows 2000 systems with 139/tcp or 445/tcp open, *except* if the
> RestrictAnonymous registry value is set to 2.
>
> This is because the only way to disable NULL sessions *entirely* on
> Windows 2000 is to set RestrictAnonymous to 2:
>
> http://www.hsc.fr/ressources/presentations/null_sessions/img23.html
>
> Please read my recent presentation about NULL sessions, many people seem
> to know about NULL sessions but fewer people really understand the
> technical details:
>
> http://www.hsc.fr/ressources/presentations/null_sessions/
>
>
> --
> Jean-Baptiste Marchand
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Previous message: h4cky0u: "[Full-disclosure] Re: ATutor 1.5.1 and prior multiple XSS Vulnerabilities"
- In reply to: Jean-Baptiste Marchand: "NULL sessions on Windows 2000 systems [Was: Re: [Full-disclosure] Re: It's not that simple...]"
- Next in thread: Florian Weimer: "Re: [Full-disclosure] Re: It's not that simple..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
