Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Privilege Scalation for Windows Networks using weak Service restrictions v2.0 exploit
From: Andres Tarasco <atarasco () gmail com>
Date: Mon, 13 Feb 2006 00:19:47 +0100

Hi,

Not all windows versions are affected. The services listed below have been
found on several pen-tests.

As far as i know, the only way to know if you system is vulnerable to this
issue, is testing it with srvcheck because i have found win2k server boxes,
with all patches, with more than 20 vulnerable services. Why? maybe admins..
maybe an old FAT32 file system...

If your computer has a vulnerable service, just deploy an administrative
template (.inf) with the right permissions (remove modify privileges for
everyone/authenticated users/power users/... accounts)


regards,

Andres Tarasco

2006/2/12, ad () heapoverflow com <ad () heapoverflow com>:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andres Tarasco wrote:
Proof of concept of Sudhakar Govindavajhala and Andrew Appel paper
(http://www.cs.princeton.edu/~sudhakar/papers/winval.pdf) Running
as an unprivileged user you can test if your services are
vulnerable and can be used to install a backdoor. Both source code
and binary included *Microsoft advisory:
http://microsoft.com/technet/security/advisory/914457.mspx*

*SrvCheck v2.0 is able to perform this checks remotely using for
example domain user credentials* *Here is a short list of Known
vulnerable services under XP sp2:*

*- Advanced User: * service: DcomLaunch ( SYSTEM ) Service:
UpnpHost ( Local Service ) Service: SSDPSRV (Local Service) *-
User: * Service: UpnpHost ( Local Service ) Service: SSDPSRV (Local
Service) *- Network Config Operators:* service: DcomLaunch ( SYSTEM
) Service: UpnpHost ( Local Service ) Service: SSDPSRV (Local
Service) Service: DHCP ( SYSTEM ) Service: NetBT (SYSTEM - .sys
driver) Service DnsCache (SYSTEM)

but ms put

*Is this a security vulnerability that requires Microsoft to issue a
security update?*
Microsoft is still investigating this issue. Customers who have
installed Windows XP Service Pack 2 and Windows Server 2003 Service
Pack 1 are not affected by this issue.




??
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)

iQIVAwUBQ++CaK+LRXunxpxfAQIKgRAA3v7vc+8wGM+qFS73NmYtvsYpBPgfjRUo
ph7vPpvZd8gNVCGHPhES8DHvER+a4h5wzqSOBjBgwhuWFqlFPRlKxsXsM0+s4Qza
PfLyJ6aMFqqxEfDBA6KxHJxtvOAX8uwj4PBLhIqH51pP5U6qziU7RbRf4i2yvWsG
jm/ArJGmiKSgRYwJmOHnVZSxXm/Ivd4+FcBe8MqaCmYCm0qeOi/8w2uZ5rl4/uTw
IfM/5HWxBCwcujUNzVg6/xcTiB+d/Ve6TtI/+MLbtmxBiyYVP5rJtWsYexy1Gt97
lheOZJbsmF30SQh+UcWh2dDHVl3ToDcaVWA+5z8LKVsqefqMesi6Fm/tVn4pEU2M
9Bdro0TtrdtridlFDmeTU5594aQFR+V+q1m8eVb7osEbgEdsS1QZC7e9ulfMCAIJ
fI6a/6VPMyjuuYlK0vMHLEpTPbZCgSqG+XaWMM7qX8FkqTymQjPAk0JRjriV8MC5
eB3lV0C+0VHqke+yvXwQMD4pudb1+kNiB4rd/66Y/1d+Soe3O3E31/piOvKIHrxS
wNZmssBVCFuxcoS8sbhh7H8LKE7uu+4q+Vc/J23orPna4lKfQvYQvxKfz8qoNGwb
Aui67vNRxRbYfPJNG7MCRQaRgBIbgAE6n2gRBzR+lSQvrAsa0EpxMPanquD4Rm0k
FFyMk03Essg=
=hRrT
-----END PGP SIGNATURE-----




--
Loco de aTar
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]