lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030201015706.62810d18.dave@immunitysec.com>
From: dave at immunitysec.com (Dave Aitel)
Subject: locator exploit

So after writing the RPC locator exploit, I noticed that the service
is not actually vulnerable until it has been initialized
properly. Does anyone have any more information on how often and when
this service is intialized (as opposed to simply started)?

Here is tethereal output illustrating an uninitialized locator service:
192.168.1.101 -> 192.168.1.100 DCERPC Bind: call_id: 5 UUID:
e33c0cc4-0482-101a-bc0c-02608c6ba218 ver 1.0
192.168.1.100 -> 192.168.1.101 DCERPC Bind_ack: call_id: 5 Provider
rejection, reason: Abstract syntax not supported

In my testing environment this is the state of the locator service until
a local user binds to it to begin a lookup. 

Other than this, the RPC Locator Service exploit is available as a
CANVAS module. (http://www.immunitysec.com/CANVAS/)

-dave


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ