lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <0B3EBA779290D411BDE000805FA7C9DF078EEAB9@LBTEXCHP1>
Date: Wed, 12 Nov 2003 10:38:15 -0600
From: "Anderson, Dan" <DanAnderson@...rellgas.com>
To: "'bugtraq@...urityfocus.com'" <bugtraq@...urityfocus.com>
Subject: RE: [Full-Disclosure] Proof of concept for Windows Workstation Se
	rvice overflow


Looking at his little bit of information in the advisory
(http://www.eeye.com/html/Research/Advisories/AD20031111.html)

"...a buffer overflow happens on the specified host if the debug file is
writeable.

Generally, the "debug" subdirectory in the Windows directory is not
writeable by everyone if the drive is formatted as NTFS, which means that we
cannot append to the log using a null session. The WsImpersonateClient() API
is called before opening the log file, and if the connected client does not
have the privilege to write to the log file, then CreateFile() will fail,
and the vulnerable call to vsprintf() is not performed. So, in this case, we
can exploit FAT32 systems (which do not support ACLs on directories), or
systems where the "%SYSTEMROOT%\debug" directory is writeable by everyone.
However, there are some extended RPC functions implemented in Windows XP
which open the logfile before calling WsImpersonateClient()... "


So my guess is that if this gets to be a worm, it probably will affect
mostly XP systems and not Windows 2000 systems (given that NTFS is a default
file type for W2k and that by default this is not writeable by a NULL
session). So that reduces the number of potential worm candidates and along
with this needs to use the same ports as Blaster the list of targets grows
smaller (because of the XP firewall), in itself it does not look to have the
same level of potential impact as Blaster.

What are your thoughts?  


aromogcraigjngigi



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ