Dailydave mailing list archives

Re: MS08-006 under rated?

From: Andrey Kolishchak <gsw () gentlesecurity com>
Date: Thu, 14 Feb 2008 16:49:54 +0100

Yes I have seen your advisory long time ago, you didn't mention any
technical details nor provide any code (which is OK ) so I don't


The advisory mentioning that demo is provided and it is available on
request on our web site since the moment of advisory (almost two years
for now). Given that I would say we didn't provide any code.

Now I just explained how exploit works, is it still insufficient to
judge for similarities? I'm just curious.

Thanks,
 Andrey

Hi Andrey.

well, we have an advisory on this http://www.gentlesecurity.com/adv04302006.html
And also have demo that elevates IIS's NetworkService up to LocalSystem.

Yes I have seen your advisory long time ago, you didn't mention any
technical details nor provide any code (which is OK ) so I don't
know if we are talking about the same problems.

The Microsoft's decision to run RpcSs as NetworkService is, in fact,
weakened the configuration. RpcSs run on behalf of LocalSystem would
be more secure as other NetworkService processes would not be able to
attack it.

Running RpcSs as LocalSystem won't help much, still other attacks are possible.
RpcSs process is not the only one that impersonates LocalSystem.

The issue with services is partly addressed in Windows Vista where
process objects might be owned by unique service SID, symbolic: NT
Service\ServiceName. However, that is not enabled for all services by
default. Not even all services coming with Vista support unique
service SIDs.
<http://www.gentlesecurity.com/blog/andr/cracking_windows_access_control.pdf>
I guess, you mentioning the same problem and would be interested to
hear more about if that is something new.

Again, you are not mentioning technical details nor providing code 
(which is OK ) so I don't know if we are talking about the same problems.

But NetworkService is particularly dangerous, even without this
problem. NetworkService has permissions to issue SIO_RCVALL on sockets
and sniff machine's network traffic (note, no additional driver is
required).

This is cool, I didn't know about this, again we can see how many
problems related with NetworkServer and LocalServer there are.

PS: I know i'm not providing technical details nor code I can't
because I will present this stuff at a conference. Anyways this
thread is bringing to light interesting stuff.

Cesar.



_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

MS08-006 under rated? Cesar (Feb 14)
- Re: MS08-006 under rated? Nicolas RUFF (Feb 14)
- Re: MS08-006 under rated? Andrey Kolishchak (Feb 14)
- Re: MS08-006 under rated? H D Moore (Feb 14)
- <Possible follow-ups>
- Re: MS08-006 under rated? Cesar (Feb 14)
- Re: MS08-006 under rated? Cesar (Feb 14)
  - Re: MS08-006 under rated? Andrey Kolishchak (Feb 14)