ms04-031 pre-auth ??
From: Sinan Eren (sinan.eren_at_immunitysec.com)
Date: 10/18/04
- Previous message: mccauley_at_gmx.net: "Re: 3COM Wireless router (3CRADSL72) information disclosure"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 18 Oct 2004 09:35:22 -0400 (EDT) To: bugtraq@securityfocus.com, dailydave@lists.immunitysec.com
http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx
We have located the vulnerable function and just recently wrote the
CANVAS module for it but all our tests showed that the NetDDE
vulnerability can not be exploited with a NULL session a.k.a
with "Anonymous Logon" credentials.
Here are some reasons why we think NetDDE rpc interface procedure calls
can only be done after authentication (any local or domain user)
1- \pipe\nddeapi named pipe do not have the "Anonymous Logon" credentials
2- HKLM\SYSTEM\ControlSet001\Services\lanmanserver\parameters\NullSessionPipes
do not list the nddeapi pipe in any of the current windows OS installs
3- \pipe\nddeapi is not hardcoded in the srv.sys driver (please check:
http://www.hsc.fr/ressources/articles/win_net_srv/index.html.en#htoc33 )
Please feel free to correct us! We will be delighted to hear that this
vuln is actually a pre-auth ;)
The most puzzling question is why does Microsoft "upplays" this
vulnerabilities severity rather than the usual downplaying efforts ?
I remember a good friend reporting them a remote ring-0 vulnerability
in terminal services which they silently fixed in SP3 and dont even bother
to credit him because they simply believe only remote DOS can be achieved
with a remote kernel overflow!! So does that mean MS changed its policy
regarding vulnerability severity assesment or they have a ongoing love
relation with NGS ? puzzles the mind ;)
cheers,
Sinan Eren
Immunity Research
- Previous message: mccauley_at_gmx.net: "Re: 3COM Wireless router (3CRADSL72) information disclosure"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
