Re: New attack vectors and a vulnerability dissection of MS03-007

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 04/07/03

  • Next message: Joe Audette: "Re: Seti@home information leakage and remote compromise"
    Date:         Mon, 7 Apr 2003 12:11:30 -0400
    From: Russ <Russ.Cooper@RC.ON.CA>
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    Firstly, the code that Chadd referred to doesn't make any mention of it working on Windows XP, and nothing so far has indicated that Windows XP has a vulnerable NTDLL.DLL.

    The exploit code does state that it has been tested on Windows 2000 SP0, SP1, SP2, and SP3.

    Microsoft Security Bulletin MS03-007 only refers to Windows 2000 SP2 and SP3. This is because these are the only versions of Windows 2000 that Microsoft currently supports. When SP4 is released some time in the relatively near future, SP2 installations will no longer be supported (per MS' new support policy effective September last year.) As a result, I, and others, mistakenly assumed that only SP2 and SP3 systems were vulnerable. If the author of the exploit code is to be believed, this affects all versions of Windows 2000. I have seen nothing to make me believe this is not true.

    So, no XP vulnerability, but all W2K are vulnerable.

    Finally, to the issue of IIS and WebDAV being highlighted in the MS Bulletin. At the time the bulletin was written, there was attack code in use which used the IIS/WebDAV vector. There was every reason to believe that would be the most likely attack vector used for an en-masse attack. Code was already written, the vulnerability prevalence was incredibly high, and the mitigation of disabling WebDAV was relatively easy and did not require a reboot to be effective. Ergo it made sense to put that information in the bulletin. Unfortunately, rather than suggesting other vectors were possible, the emphasis was put entirely on IIS/WebDAV, leading far too many to believe it was the *only* vector.

    With the introduction of this new exploit, targeting desktop systems and allowing anyone who has the ability to run code of their choice locally to increase their privilege to LocalSystem, Microsoft would be well advised to revise the MS03-007 Security Bulletin to de-emphasize the IIS/WebDAV vector and target the more generic message that everyone needs this patch.

    Whether they will or not remains to be seen, seems my messages to them over the past few weeks have been going into a black hole.

    Cheers,
    Russ - NTBugtraq Editor

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Delivery co-sponsored by Prometric - More than testing, learning.
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    http://www.prometric.com

    Prometric, part of The Thomson Corporation, is the leader in
    technology-enabled testing and assessment services for information
    technology certification, academic admissions, professional licensure and
    certifications, computer-based driver's licensing, and corporate testing.

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo


  • Next message: Joe Audette: "Re: Seti@home information leakage and remote compromise"

    Relevant Pages

    • Re: IIS 5: strange problems handling certain file names
      ... Let me start by pointing out that Windows NT has always supported commas in a filename. ... technology-enabled testing and assessment services for information ...
      (NT-Bugtraq)
    • SecurityFocus Microsoft Newsletter #163
      ... MICROSOFT VULNERABILITY SUMMARY ... Bugzilla Javascript Buglists Remote Information Disclosure V... ... Microsoft Internet Explorer DHTML Drag and Drop Local File S... ... Microsoft Windows Workstation Service Remote Buffer Overflow... ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #176
      ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows XP HCP URI Handler Arbitrary Command Execu... ... PHPNuke Category Parameter SQL Injection Vulnerability ... Microsoft Baseline Security Analyzer Vulnerability Identific... ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #158
      ... Gamespy 3d IRC Client Remote Buffer Overflow Vulnerability ... Microsoft Windows PostThreadMessage() Arbitrary Process Kill... ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #123
      ... Spooked about Windows security? ... Rediff Bol URL Handling Denial Of Service Vulnerability ... Finjan SurfinGate File Extension File Filter Circumvention... ... MIT Kerberos Key Distribution Center Remote Format String... ...
      (Focus-Microsoft)