Dailydave mailing list archives
Re: MS08-006 under rated?
From: Andrey Kolishchak <gsw () gentlesecurity com>
Date: Thu, 14 Feb 2008 16:49:54 +0100
Yes I have seen your advisory long time ago, you didn't mention any technical details nor provide any code (which is OK ) so I don't
The advisory mentioning that demo is provided and it is available on request on our web site since the moment of advisory (almost two years for now). Given that I would say we didn't provide any code. Now I just explained how exploit works, is it still insufficient to judge for similarities? I'm just curious. Thanks, Andrey
Hi Andrey.
well, we have an advisory on this http://www.gentlesecurity.com/adv04302006.html And also have demo that elevates IIS's NetworkService up to LocalSystem.
Yes I have seen your advisory long time ago, you didn't mention any technical details nor provide any code (which is OK ) so I don't know if we are talking about the same problems.
The Microsoft's decision to run RpcSs as NetworkService is, in fact, weakened the configuration. RpcSs run on behalf of LocalSystem would be more secure as other NetworkService processes would not be able to attack it.
Running RpcSs as LocalSystem won't help much, still other attacks are possible. RpcSs process is not the only one that impersonates LocalSystem.
The issue with services is partly addressed in Windows Vista where process objects might be owned by unique service SID, symbolic: NT Service\ServiceName. However, that is not enabled for all services by default. Not even all services coming with Vista support unique service SIDs. <http://www.gentlesecurity.com/blog/andr/cracking_windows_access_control.pdf> I guess, you mentioning the same problem and would be interested to hear more about if that is something new.
Again, you are not mentioning technical details nor providing code (which is OK ) so I don't know if we are talking about the same problems.
But NetworkService is particularly dangerous, even without this problem. NetworkService has permissions to issue SIO_RCVALL on sockets and sniff machine's network traffic (note, no additional driver is required).
This is cool, I didn't know about this, again we can see how many problems related with NetworkServer and LocalServer there are.
PS: I know i'm not providing technical details nor code I can't because I will present this stuff at a conference. Anyways this thread is bringing to light interesting stuff.
Cesar.
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- MS08-006 under rated? Cesar (Feb 14)
- Re: MS08-006 under rated? Nicolas RUFF (Feb 14)
- Re: MS08-006 under rated? Andrey Kolishchak (Feb 14)
- Re: MS08-006 under rated? H D Moore (Feb 14)
- <Possible follow-ups>
- Re: MS08-006 under rated? Cesar (Feb 14)
- Re: MS08-006 under rated? Cesar (Feb 14)
- Re: MS08-006 under rated? Andrey Kolishchak (Feb 14)