Bugtraq mailing list archives
Re: Update to ODBC/RDS vulnerabilities
From: rfp () WIRETRIP NET (rfp () WIRETRIP NET)
Date: Wed, 22 Sep 1999 20:50:27 -0500
You did your testing as an administrator on the machine. Network
No, I specifically did *NOT* do this, to avoid the same goofs that the guy who did the latest DCOM posts did. Not that it was his fault; I was just wary of where he went wrong, and tried to avoid that. I specifically yanked one machine out of the domain and made it into another workgroup instead. I created a local account on that box of user 'rfp', no special rights (normal user). I used this to query regedit from. I created the account from scratch to make sure it was clean. On the servers, on one I added domain account rfp, normal user. Different password than the first so I know I would be prompted for login/password when connecting. On another server which was only in the workgroup, I added a local user, same as above. Normal user rights, no administrative stuff. Again, freshly created accounts to make sure nothing silly was going on. Then I queried from 'remote', non-associated box to these servers. I enter the login/password of rfp. That's logging in as rfp on one box, authenticating as rfp to the second, no administrative mojo to been seen. I was able to view the registry, and change that key. Total 'cross mojonation'. But I see your point on being limited by 'AllowedPaths'. Has anyone else been able to recreate this? What you say makes sense, so I don't know why it would work on mine. My NT configurations are not custom nor fancy.
It is also generally a good practice to place router filters in front of your internet-exposed web servers such that they cannot make outbound connections to places where they shouldn't. People who took such precautions found that things such as the .htr overflow didn't work, and would prevent your UNC path variant from working. Turning off the
Right.
Server and Workstation services, as well as unbinding NetBIOS from the external interface would also prevent an attack involving an external UNC path from working.
I said it as an FYI of another approach to he exploit potential. If your box was locked down in the first place none of this would be an issue, no? :) After all, RDS stuff is slightly in the sample-scripts arena--everyone should know better. But they don't. Cheers, .r.f.p.
Current thread:
- Re: Update to ODBC/RDS vulnerabilities David LeBlanc (Sep 22)
- <Possible follow-ups>
- Re: Update to ODBC/RDS vulnerabilities rfp () WIRETRIP NET (Sep 22)