lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.58.0410180911040.1669@juneof44.immunitysec>
Date: Mon, 18 Oct 2004 09:35:22 -0400 (EDT)
From: Sinan Eren <sinan.eren@...unitysec.com>
To: bugtraq@...urityfocus.com, dailydave@...ts.immunitysec.com
Subject: ms04-031 pre-auth ??



http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx

We have located the vulnerable function and just recently wrote the 
CANVAS module for it but all our tests showed that the NetDDE 
vulnerability can not be exploited with a NULL session a.k.a 
with "Anonymous Logon" credentials.

Here are some reasons why we think NetDDE rpc interface procedure calls 
can only be done after authentication (any local or domain user) 

1- \pipe\nddeapi named pipe do not have the "Anonymous Logon" credentials
2- HKLM\SYSTEM\ControlSet001\Services\lanmanserver\parameters\NullSessionPipes 
do not list the nddeapi pipe in any of the current windows OS installs 
3- \pipe\nddeapi is not hardcoded in the srv.sys driver (please check:
http://www.hsc.fr/ressources/articles/win_net_srv/index.html.en#htoc33 )

Please feel free to correct us! We will be delighted to hear that this 
vuln is actually a pre-auth ;)

The most puzzling question is why does Microsoft "upplays" this 
vulnerabilities severity rather than the usual downplaying efforts ?
I remember a good friend reporting them a remote ring-0 vulnerability 
in terminal services which they silently fixed in SP3 and dont even bother 
to credit him because they simply believe only remote DOS can be achieved 
with a remote kernel overflow!! So does that mean MS changed its policy 
regarding vulnerability severity assesment or they have a ongoing love 
relation with NGS ? puzzles the mind ;)

cheers,
Sinan Eren
Immunity Research



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ