lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <200712192230.31211.fdlist@digitaloffense.net>
Date: Wed, 19 Dec 2007 22:30:31 -0600
From: H D Moore <fdlist@...italoffense.net>
To: full-disclosure@...ts.grok.org.uk
Subject: Windows XP SP3 - DCERPC Changes

Changes between DCERPC services on XP SP2 and XP SP3 (release candidate)
This is from a quick and dirty unmidl.py + diff(3) session[1]
Results do not include new services bundled with SP3.
Results are likely incomplete.
Verify this with mIDA.
Happy holidays.
Thanks Dave
For UNMIDL
Cheers,

-HD

--

dhcpcsvc.dll - DHCP Client RPC Service
[ uuid(3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5), version(1.0) ]

	New operations added:

	long  Function_0c( 
		[in] [unique]  [string] wchar_t * element_67,
		[in]  long  element_68,
		[in]  [string] wchar_t *  element_69,
		[in] [unique]  TYPE_1 ** element_70,
		[in] [unique]  TYPE_6 ** element_71,
		[out]  long * element_80
	 );

	long  Function_0d( 
		[in] [unique]  [string] wchar_t * element_82,
		[in]  [string] wchar_t *  element_83,
		[in] [unique]  TYPE_1 ** element_84,
		[in,out]  TYPE_6 * element_85
	 );

	long  Function_0e( 
		[in] [unique]  [string] wchar_t * element_87,
		[in]  long  element_88,
		[out] [ref] [unique]  [string] wchar_t ** element_89
	 );

	long  Function_0f( 
		[in] [unique]  [string] wchar_t * element_91,
		[in]  long  element_92,
		[in]  [string] wchar_t *  element_93
	 );

	long  Function_10( 
		[in] [unique]  [string] wchar_t * element_95,
		[in]  [string] wchar_t *  element_96,
		[out]  TYPE_8 * element_97
	 );

	long  Function_11( 
		[in] [unique]  [string] wchar_t * element_107,
		[size_is(*element_110)] [out] [ref] [unique]  long ** element_109,
		[out]  long * element_110
	 );


lsasrv.dll - LSARPC
[ uuid(12345778-1234-abcd-ef00-0123456789ab), version(0.0) ]

	New operations added:

	long  Function_4f( 
		[in]  long  element_1115,
		[in] [unique]  [string] wchar_t * element_1116,
		[out] [context_handle]  void * element_1117
	 );

	long  Function_50( 
		[in]  long  element_1119,
		[in,out] [context_handle]  void * element_1120
	 );

	long  Function_51( 
		[in]  long  element_1122,
		[in] [context_handle]  void * element_1123,
		[in]  long  element_1124,
		[in]  TYPE_78 * element_1125,
		[in]  TYPE_70 * element_1126
	 );


msdtcprx.dll - MS Distributed Transaction Controller RPC Service
[ uuid(906b0ce0-c70b-1067-b317-00dd010662da), version(1.0) ]

	Completely removed from XP SP3
	

p2psvc.dll - Peer Networking Identity Manager
[ uuid(a2d47257-12f7-4beb-8981-0ebfa935c407), version(1.0) ]

	Changes to structure definitions used by operations 5, 6, 7, and 8
	Changes to the function definitions for operations 5 and 7


scesrv.dll - Security Configuration Editor Engine
[ uuid(93149ca2-973b-11d1-8c39-00c04fb984f9), version(0.0) ]
	
	Completely removed from XP SP3
	

seclogon.dll - Secondary Logon service
[ uuid(12b81e99-f207-4a4c-85d3-77b42f76fd14), version(1.0) ]
	
	Completely removed from XP SP3


termsrv.dll - Terminal Server
[ uuid(5ca4a760-ebb1-11cf-8611-00a0245420ed), version(1.0) ]

	A range check was added to the last argument of operation 0x24
	
	char Function_24(
		[in] [context_handle]  void * element_228,
		[out]  long * element_229,
		[size_is(element_232)] [out]  char  element_230,
		[in]  [range(0,32768)] long  element_232
	 );
	 
	In XP SP2, this operation is defined as:
	 
	char  Function_24( 
		[in] [context_handle]  void * element_228,
		[out]  long * element_229,
		[size_is(element_231)] [out]  char  element_230,
		[in]  long  element_231
	 );	
	 
	Since this is a size_is() field, we can assume this is an overflow check

	This operation is known as RpcWinStationEnumerateProcesses()

	Since it requires a context handle, its likely post-authentication.


wzcsvc - Wireless Configuration
[ uuid(621dff68-3c39-4c6c-aae3-e68e2c6503ad), version(1.0) ]

	New operation added:
	
	long  Function_15(
		[in] [context_handle]  void * element_207,
		[in]  TYPE_13 * element_208,
		[in,out] [ref] [unique]  TYPE_13 *** element_209
	 );	


1.Used 'cabextract' to extract files from the SP2 and SP3 installers. Ran 
unmidl.py on each file from SP2, normalized element and type names, then 
compared it with the output from each file in SP3. The SP2 file set was 
probably missing some files, so there will be gaps in this data. 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ