Full Disclosure mailing list archives
RE: SMB overflow attacks
From: full-disclosure () lists netsys com (Nick FitzGerald)
Date: Wed, 28 Aug 2002 08:23:49 +1200
John Schutz to Jason Coombs:
Does anyone have any information about why System binds to a port above 1024I believe the windows task scheduler will bind to a port above 1024.
The OP asked why System binds a high port. I don't know. But I do know that the task scheduler will show up in a task-to-port mapper with a name other than "System" (under Win2K it should be "MTask" or "mtask.exe" depending on the options/mapping tool used). This is often (even usually) port 1025 because the task scheduler loads early in the startup process and is commonly the first thing to persistently bind a high port. On NT (and derived OSes) it is common/usual to see "System" bound to a port numbered slightly higer than the one the Task Scheduler gets. Regards, Nick FitzGerald
Current thread:
- SMB overflow attacks KF (Aug 26)
- RE: SMB overflow attacks Jason Coombs (Aug 26)
- RE: SMB overflow attacks John Schutz (Aug 27)
- RE: SMB overflow attacks Nick FitzGerald (Aug 27)
- RE: SMB overflow attacks John Schutz (Aug 27)
- SecurityFocus Website Ken Pfeil (Aug 30)
- <Possible follow-ups>
- RE: SMB overflow attacks Peter Gutmann (Aug 26)
- RE: SMB overflow attacks Jason Coombs (Aug 26)