lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050209184015.GA11354@garbarek.hsc.fr>
Date: Wed, 9 Feb 2005 19:40:16 +0100
From: Jean-Baptiste Marchand <Jean-Baptiste.Marchand@....fr>
To: bugtraq@...urityfocus.com
Subject: Some details about MS05-007 security bulletin


Hello,

I'd like to provide some details about the vulnerability fixed by the MS05-007
security bulletin:

	http://www.microsoft.com/technet/security/bulletin/ms05-007.mspx

Microsoft security bulletin is in some ways misleading and I've seen that 
the following CERT vulnerability note:

	http://www.kb.cert.org/vuls/id/939074

incorrectly describes the vulnerability as related to the Computer Browser
Windows service.

The File information section of the MS05-007 security bulletin shows that
srvsvc.dll is the only updated file. srvsvc.dll implements the lanmanserver
service (Server service, userland part of server-side Windows SMB/CIFS
implementation).

If the vulnerability had been in the Computer Browser service itself, the
updated file would have been browser.dll.

The updated version of srvsvc.dll adds some additional restrictions to at least
one operation of the srvsvc MSRPC interface. 

A complete list of operations of the srvsvc interface can be found at:

	http://www.hsc.fr/ressources/articles/win_net_srv/ch04s07s07.html

Because it is typically possible to bind anonymously to RPC services such as
srvsvc or wkssvc (RPC service of the workstation service), restrictions are
defined for each operation:

	http://www.hsc.fr/ressources/articles/win_net_srv/ch04s06s11.html

These restrictions are particularly important for anonymous accesses, that are
possible using SMB NULL sessions to the IPC$ share.

It was recently discovered that even in Windows XP SP2, it is still possible to
gather some information anonymously, using specific operations of the srvsvc or
wkssvc MSRPC interfaces:

	http://www.securityfriday.com/Topics/winxp2.html

Specifically, using the NetrSessionEnum operation (srvsvc interface), it is
possible to anonymously enumerate users who have established an SMB session on a
remote server.

The MS05-007 patch forbids the NetrSessionEnum operation in the context of a
NULL session.

Thus, it only fixes a very specific problem and can not be considered as the
correct way to fix this kind of vulnerability.


Before Windows XP SP2 (i.e., Windows XP SP1), you need to apply the MS05-007
patch if you want to prevent this vulnerability. 

On Windows XP SP2, the easiest way to fix the vulnerability without applying the
patch is to remove the "browser" string from the NullSessionPipes registry
value:

	http://www.hsc.fr/ressources/articles/win_net_srv/ch04s06s06.html

Disabling the Computer Browser service is another method to prevent the 
vulnerability but this workaround only works for Windows XP SP2.

Jean-Baptiste Marchand
-- 
Jean-Baptiste.Marchand@....fr
HSC - http://www.hsc.fr/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ