Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Dailydave: Re: Useless fact of the day!

Re: Useless fact of the day!

From: Pusscat <pusscat_at_gmail.com>
Date: Sat, 06 Jan 2007 21:04:01 -0500

Wešve had a patch for UNMIDL that marked them in the output since the very
first one was patched ­ it might actually be attached to our paper ;)

On 1/6/07 12:48 PM, "Dave Aitel" <dave.aitel_at_gmail.com> wrote:

> I think it's hard to find an MSRPC interface that doesn't have a memory
> exhaustion bug. Maybe I'll make ImmDBG automatically point them out next week.
> I guess theoretically we can have ImmDBG shuttle that information off to
> VisualSploit to automatically write a CANVAS exploit too. Or even better, a
> SILICA module for it such that you walk into a room and everyone's Windows
> machines stop working. Good for when you want all the bandwidth at a security
> convention. :> We don't have the NetrWkstaUserEnum DoS in CANVAS right now -
> we do use the function though to remotely get logged on users against XP SP2.
>
> It's not an easy bug for Microsoft to fix, but the hilarious thing is that
> they didn't even bother. I wonder if Vista is vulnerable too - I'm betting
> yes. :>
>
> The other thing I want to try some day is using the LSA Open Handle stuff
> remotely to just open an infinite number of handles. Every one's so picky in
> MSDN about always closing the handles to avoid handle leaks, but I'm betting
> Win32 will be ok even if you don't. And if it's not, hey, no more handles for
> anyone, anonymously and remotely, which is also fun. :> Maybe someone's
> already done this and can save us all the trouble?
>
> I dunno. These are all half-day projects, and there are always more
> interesting bugs to play with in your half-day allotment. Yesterday I spent
> the half-day of technical work I get a week inside a debugger looking at a
> strncpy() stack overflow. They still exist! It's like finding a cod off the
> Massachusetts coast.
> -dave
>
>
> P.S. Why are all of these different CVE numbers. Is CVE about the
> vulnerability, or the endpoint you can touch it through? There's some sort of
> rainbow going from a particular class of vulnerabilities through a particular
> vulnerability through an exploit through a single instance of someone
> exploiting a machine with an exploit and I sense everyone's naming schemes are
> just like someone pointing to a color frequency and calling it blue.
>
>
>
> On 1/6/07, Rhys Kidd <rhyskidd_at_gmail.com> wrote:
>> RPC memory exhaustion bugs are all the rage atm it would seem,
>> hopefully this will provide the traction for MSRC to give it
>> priority....
>>
>> It's also interesting that ISC believe for servers that the current
>> UPnP and SPOOLSS bugs are 'Important', whereas the more recent
>> NetrWkstaUserEnum() bug is only 'Less Urgent'.
>>
>> They are pretty much the same, due to unvalidated client input, and in
>> fact the NetrWkstaUserEnum() opnum ( through the wkssvc named pipe )
>> is usually bindable over an anonymous NULL session.
>>
>> - Rhys
>>
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave_at_lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave

~ Puss

_______________________________________________
Dailydave mailing list
Dailydave_at_lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Received on Jan 06 2007

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]