Windows XP remote access methods for pen test

• Previous message: Chris McNab: "Big in China"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 5 Dec 2002 22:53:49 -0000
From: Curt Wilson <netw3_security@hushmail.com>
To: pen-test@securityfocus.com

While working with the Security Configuration and Analysis MMC snap-in
(applying securews template in this case) in a Win XP Pro SP1 system, I
came across some items that could be useful to the attacker and/or pen
tester. Anyone who has played with XP security policies will have seen
these, however I've seen little information about the security
ramifications of the following items, and would enjoy a discussion about
these elements:

Local Policies...Security Options...Network Access: Named pipes that can
be accessed anonymously
 
COMNAP,COMNODE,SQL\QUERY,SPOOLSS,LLSRPC,EPMAPPER,LOCATOR,TrkWks,TrkSvr

Remotely accessible registry paths:

System\CurrentControlSet\Control\ProductOptions,System\CurrentControlSet\C
ontrol\Print\Printers,System\CurrentControlSet\Control\Server
Applications,System\CurrentControlSet\Services\Eventlog,Software\Microsoft
\OLAP Server,Software\Microsoft\Windows
NT\CurrentVersion,System\CurrentControlSet\Control\ContentIndex,System\Cur
rentControlSet\Control\Terminal
Server,System\CurrentControlSet\Control\Terminal
Server\UserConfig,System\CurrentControlSet\Control\Terminal
Server\DefaultUserConfiguration

(I'm assuming that these reg paths are useless to a remote attacker,
unless the remote registry service is enabled and the attacker/pen tester
has access. I always turn off remote registry so I've not explored these
options)

Shares that can be accessed anonymously

COMCFG,DFS$

Has anyone successfully leveraged the existence of any of these elements,
and do you have any information from practical experience that you would
be willing to share? It strikes me that there could be some interesting
content here if we could spend some time fuzzing and exploring.

Thanks

Curt Wilson
Netw3 Security Research
www.netw3.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

• Next message: s_garcia@epm.net.co: "SMS (Short Message Service) Security"
• Previous message: Chris McNab: "Big in China"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: blocking a relay ... > I installed the Microsoft provided Security Kit and the Lockdown Tool. ... > always install the fixes and patches right away. ... Remote Registry ... (microsoft.public.win2000.security) [NT] Buffer Overrun in Windows Help and Support Center Could Lead to System Compromise (MS03-044) ... Get your security news from a reliable source. ... A security vulnerability exists in the Help and Support Center function ... *Microsoft Windows Millennium Edition ... An attacker could exploit the vulnerability by constructing a URL that, ... (Securiteam) [UNIX] Security Analysis of VTun ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... An attacker can modify ... Packet forwarding: ... password) as encryption key. ... (Securiteam) [REVS] Security Considerations for Web-based Applications ... Get your security news from a reliable source. ... consequences of this ranges from the erosion of customer confidence in the ... of poorly implemented host naming procedures or web-application URL ... The attacker may choose to inject ... (Securiteam) [NT] Windows Media Player Directory Traversal Vulnerability (WMZ) ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... When Media Player 7 or 8 is installed, ... As most other Internet Explorer vulnerabilities, ... cannot be guessed by a potential attacker. ... (Securiteam)