| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu Aug 18 14:58:23 2005 From: yossarian at planet.nl (yossarian) Subject: NULL sessions on Windows 2000 systems [Was: Re: Re:It's not that simple...] You imply with 'hard-coded' that removing them from the registry does not help. This is new to me? Can you plz. elaborate? ----- Original Message ----- From: "Jean-Baptiste Marchand" <jbm.lists@...il.com> To: <full-disclosure@...ts.grok.org.uk> Sent: Thursday, August 18, 2005 9:58 AM Subject: NULL sessions on Windows 2000 systems [Was: Re: [Full-disclosure] Re:It's not that simple...] >* yossarian <yossarian@...net.nl>: > >> In the original X-Force paper named pipes were mentioned besides Null >> Sessions. Does it need both or either one - the paper isn't clear on >> this? >> The named pipes seem to have dropped from all discussion.... Anyway, >> never >> broke anything by disabling them, either. This is a registry hack >> described >> in the MS Hardening guides for 2000 and 2003 server. Just like Null >> sessions. Elsewhere dunno, but probably, never bothered. > > A NULL session usually refers to an anonymous connection to the IPC$ > share, giving remote access to named pipes. > > Some named pipes can be opened anonymously (these named pipes appear in > the NullSessionPipes registry value), i.e. in the context of a NULL > session. > > In addition, 6 named pipes are harcoded in Windows 2000 and can always > be opened anonymously: > > http://www.hsc.fr/ressources/presentations/null_sessions/img7.html > > The recent PnP vulnerability (MS05-039) can be anonymously exploited on > Windows 2000 systems with 139/tcp or 445/tcp open, *except* if the > RestrictAnonymous registry value is set to 2. > > This is because the only way to disable NULL sessions *entirely* on > Windows 2000 is to set RestrictAnonymous to 2: > > http://www.hsc.fr/ressources/presentations/null_sessions/img23.html > > Please read my recent presentation about NULL sessions, many people seem > to know about NULL sessions but fewer people really understand the > technical details: > > http://www.hsc.fr/ressources/presentations/null_sessions/ > > > -- > Jean-Baptiste Marchand > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists