RE: SMBdie exploit testing
From: Robert Sieber (rsieber@web.de)Date: 09/06/02
- Previous message: Fred.Langston@guardent.com: "RE: Does W2K hold user's email, EFS etc private key securely ?"
- In reply to: dwreck@hushmail.com: "SMBdie exploit testing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Robert Sieber" <rsieber@web.de> To: "securityfocus - ms" <focus-ms@securityfocus.com> Date: Fri, 6 Sep 2002 08:37:50 +0200
I can confirm your results for Windows 2000 servers and professional!
Setting RestricAnonymous to 2 will solve the problem. BUt there will be
more problems in a mixed environment! Read at:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q246261
Robert
--http://board.protecus.de - Firewalls, Security and more ...
> -----Original Message----- > From: dwreck@hushmail.com [mailto:dwreck@hushmail.com] > Sent: Thursday, September 05, 2002 9:47 PM > To: focus-ms@securityfocus.com > Subject: SMBdie exploit testing > > > > We tested the GUI version of the exploit on the following systems: > > > server1 Windows 2000 Server Hardend Did not work > > server2 Windows 2000 Server Hardend Did not work > > app server 1 Windows 2000 Server Hardend Did not work > > Workstation 1 Windows 2000 Professional Partially Hardened > (only restrict anonymous) Did not work > > Workstation 2 Windows 2000 Professional No Hardening > WORKED...blue screen, shutdown, checkdisk > > Workstation 3 Windows XP Hardend WORKED...blue > screen and a shutdown > > .net server Windows .NET No Hardening > WORKED...blue screen and a shutdown > > server 3 Windows 2000 Server No Hardening > WORKED...blue screen and a shutdown > > Server 4 NT 4.0 TSE Hardened WORKED...blue > screen and a shutdown > > Workstation 5 Windows XP Hardend WORKED...blue > screen and a shutdown > > Workstation 6 NT 4.0 SP6a No Hardening > WORKED...blue screen and a shutdown and a memory dump > > Workstation 7 NT 4.0 SP6a No Hardening but > restrictanonmyous was enabled WORKED...blue screen and a shutdown > > > It appears that the Restrict Anonymous setting on Windows 2000 > servers and workstations stops this exploit. It appears to > function on NT 4.0, XP, and .NET whether Restrict Anonymous is set or not. > > > > Windows NT 4.0 Servers are susceptible to the Smbdie exploit.. > The patch must be applied to stop the Smbdie exploit. > > Windows NT 4.0 TSE Edition Servers are susceptible to the Smbdie > exploit.. The patch must be applied to stop the Smbdie exploit. > > Windows NT 4.0 workstations are susceptible to the Smbdie > exploit.. The patch must be applied to stop the Smbdie exploit. > > Windows 2000 Servers and Workstations are NOT vulnerable as long > as the "Additional restrictions for anonymous connections" option > in their local security settings is set to "No access without > explicit anonymous permissions". > Windows 2000 sever administrators can either verify/set this > option or apply the patch. We have tested both solutions. > Either one will protect a Windows 2000 system from the Smbdie exploit. > > Windows XP workstations are susceptible to the Smbdie exploit.. > The patch must be applied to stop the Smbdie exploit. > > > Due to the release of the "canned" exploit, this (MS02-045)is a > very easy internal attack vector. Any machine on your network, > including systems that are connected via VPN can launch this > attack. All you need is the IP address and netbios name of the > target system. There is an entry left in the system log when > this attack is successfully ran but it DOES NOT give any > indication as to the source of the attack. The message differs > between NT versions and appears to be intermittent on Windows > 2000 systems. > > Anyone have different results with their testing? > > Thanks, > > DWreck > > > > Get your free encrypted email at https://www.hushmail.com >
- Previous message: Fred.Langston@guardent.com: "RE: Does W2K hold user's email, EFS etc private key securely ?"
- In reply to: dwreck@hushmail.com: "SMBdie exploit testing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
