lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Sun Feb 12 23:20:02 2006
From: atarasco at gmail.com (Andres Tarasco)
Subject: Privilege Scalation for Windows Networks using
	weak Service restrictions v2.0 exploit

Hi,

Not all windows versions are affected. The services listed below have been
found on several pen-tests.

As far as i know, the only way to know if you system is vulnerable to this
issue, is testing it with srvcheck because i have found win2k server boxes,
with all patches, with more than 20 vulnerable services. Why? maybe admins..
maybe an old FAT32 file system...

If your computer has a vulnerable service, just deploy an administrative
template (.inf) with the right permissions (remove modify privileges for
everyone/authenticated users/power users/... accounts)


regards,

Andres Tarasco

2006/2/12, ad@...poverflow.com <ad@...poverflow.com>:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Andres Tarasco wrote:
> > Proof of concept of Sudhakar Govindavajhala and Andrew Appel paper
> > (http://www.cs.princeton.edu/~sudhakar/papers/winval.pdf) Running
> > as an unprivileged user you can test if your services are
> > vulnerable and can be used to install a backdoor. Both source code
> > and binary included *Microsoft advisory:
> > http://microsoft.com/technet/security/advisory/914457.mspx*
> >
> > *SrvCheck v2.0 is able to perform this checks remotely using for
> > example domain user credentials* *Here is a short list of Known
> > vulnerable services under XP sp2:*
> >
> > *- Advanced User: * service: DcomLaunch ( SYSTEM ) Service:
> > UpnpHost ( Local Service ) Service: SSDPSRV (Local Service) *-
> > User: * Service: UpnpHost ( Local Service ) Service: SSDPSRV (Local
> > Service) *- Network Config Operators:* service: DcomLaunch ( SYSTEM
> > ) Service: UpnpHost ( Local Service ) Service: SSDPSRV (Local
> > Service) Service: DHCP ( SYSTEM ) Service: NetBT (SYSTEM - .sys
> > driver) Service DnsCache (SYSTEM)
>
> but ms put
>
> *Is this a security vulnerability that requires Microsoft to issue a
> security update?*
> Microsoft is still investigating this issue. Customers who have
> installed Windows XP Service Pack 2 and Windows Server 2003 Service
> Pack 1 are not affected by this issue.
>
>
>
>
> ??
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (MingW32)
>
> iQIVAwUBQ++CaK+LRXunxpxfAQIKgRAA3v7vc+8wGM+qFS73NmYtvsYpBPgfjRUo
> ph7vPpvZd8gNVCGHPhES8DHvER+a4h5wzqSOBjBgwhuWFqlFPRlKxsXsM0+s4Qza
> PfLyJ6aMFqqxEfDBA6KxHJxtvOAX8uwj4PBLhIqH51pP5U6qziU7RbRf4i2yvWsG
> jm/ArJGmiKSgRYwJmOHnVZSxXm/Ivd4+FcBe8MqaCmYCm0qeOi/8w2uZ5rl4/uTw
> IfM/5HWxBCwcujUNzVg6/xcTiB+d/Ve6TtI/+MLbtmxBiyYVP5rJtWsYexy1Gt97
> lheOZJbsmF30SQh+UcWh2dDHVl3ToDcaVWA+5z8LKVsqefqMesi6Fm/tVn4pEU2M
> 9Bdro0TtrdtridlFDmeTU5594aQFR+V+q1m8eVb7osEbgEdsS1QZC7e9ulfMCAIJ
> fI6a/6VPMyjuuYlK0vMHLEpTPbZCgSqG+XaWMM7qX8FkqTymQjPAk0JRjriV8MC5
> eB3lV0C+0VHqke+yvXwQMD4pudb1+kNiB4rd/66Y/1d+Soe3O3E31/piOvKIHrxS
> wNZmssBVCFuxcoS8sbhh7H8LKE7uu+4q+Vc/J23orPna4lKfQvYQvxKfz8qoNGwb
> Aui67vNRxRbYfPJNG7MCRQaRgBIbgAE6n2gRBzR+lSQvrAsa0EpxMPanquD4Rm0k
> FFyMk03Essg=
> =hRrT
> -----END PGP SIGNATURE-----
>
>


--
Loco de aTar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060213/b0c905b7/attachment-0001.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ