Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Update to ODBC/RDS vulnerabilities

From: rfp () WIRETRIP NET (rfp () WIRETRIP NET)
Date: Wed, 22 Sep 1999 20:50:27 -0500


You did your testing as an administrator on the machine.  Network


No, I specifically did *NOT* do this, to avoid the same goofs that the
guy who did the latest DCOM posts did.  Not that it was his fault; I
was just wary of where he went wrong, and tried to avoid that.

I specifically yanked one machine out of the domain and made it into
another workgroup instead.  I created a local account on that box of user
'rfp', no special rights (normal user).  I used this to query regedit
from.  I created the account from scratch to make sure it was clean.

On the servers, on one I added domain account rfp, normal user.  Different
password than the first so I know I would be prompted for login/password
when connecting.  On another server which was only in the workgroup, I
added a local user, same as above.  Normal user rights, no administrative
stuff.  Again, freshly created accounts to make sure nothing silly was
going on.

Then I queried from 'remote', non-associated box to these servers.  I
enter the login/password of rfp.  That's logging in as rfp on one box,
authenticating as rfp to the second, no administrative mojo to been seen.
I was able to view the registry, and change that key.  Total 'cross
mojonation'.

But I see your point on being limited by 'AllowedPaths'.  Has anyone else
been able to recreate this?  What you say makes sense, so I don't know why
it would work on mine.  My NT configurations are not custom nor fancy.


It is also generally a good practice to place router filters in front of
your internet-exposed web servers such that they cannot make outbound
connections to places where they shouldn't.  People who took such
precautions found that things such as the .htr overflow didn't work, and
would prevent your UNC path variant from working.  Turning off the


Right.


Server and Workstation services, as well as unbinding NetBIOS from the
external interface would also prevent an attack involving an external
UNC path from working.


I said it as an FYI of another approach to he exploit potential.  If your
box was locked down in the first place none of this would be an issue, no?
:)  After all, RDS stuff is slightly in the sample-scripts arena--everyone
should know better.

But they don't.

Cheers,
.r.f.p.
Previous By Date Next
Previous By Thread Next

Current thread: