Dailydave mailing list archives
Re: Useless fact of the day!
From: "Dave Aitel" <dave.aitel () gmail com>
Date: Sat, 6 Jan 2007 12:48:38 -0500
I think it's hard to find an MSRPC interface that doesn't have a memory exhaustion bug. Maybe I'll make ImmDBG automatically point them out next week. I guess theoretically we can have ImmDBG shuttle that information off to VisualSploit to automatically write a CANVAS exploit too. Or even better, a SILICA module for it such that you walk into a room and everyone's Windows machines stop working. Good for when you want all the bandwidth at a security convention. :> We don't have the NetrWkstaUserEnum DoS in CANVAS right now - we do use the function though to remotely get logged on users against XP SP2. It's not an easy bug for Microsoft to fix, but the hilarious thing is that they didn't even bother. I wonder if Vista is vulnerable too - I'm betting yes. :> The other thing I want to try some day is using the LSA Open Handle stuff remotely to just open an infinite number of handles. Every one's so picky in MSDN about always closing the handles to avoid handle leaks, but I'm betting Win32 will be ok even if you don't. And if it's not, hey, no more handles for anyone, anonymously and remotely, which is also fun. :> Maybe someone's already done this and can save us all the trouble? I dunno. These are all half-day projects, and there are always more interesting bugs to play with in your half-day allotment. Yesterday I spent the half-day of technical work I get a week inside a debugger looking at a strncpy() stack overflow. They still exist! It's like finding a cod off the Massachusetts coast. -dave P.S. Why are all of these different CVE numbers. Is CVE about the vulnerability, or the endpoint you can touch it through? There's some sort of rainbow going from a particular class of vulnerabilities through a particular vulnerability through an exploit through a single instance of someone exploiting a machine with an exploit and I sense everyone's naming schemes are just like someone pointing to a color frequency and calling it blue. On 1/6/07, Rhys Kidd <rhyskidd () gmail com> wrote:
RPC memory exhaustion bugs are all the rage atm it would seem, hopefully this will provide the traction for MSRC to give it priority.... It's also interesting that ISC believe for servers that the current UPnP and SPOOLSS bugs are 'Important', whereas the more recent NetrWkstaUserEnum() bug is only 'Less Urgent'. They are pretty much the same, due to unvalidated client input, and in fact the NetrWkstaUserEnum() opnum ( through the wkssvc named pipe ) is usually bindable over an anonymous NULL session. - Rhys
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Useless fact of the day! Dave Aitel (Jan 05)
- Re: Useless fact of the day! Rhys Kidd (Jan 06)
- Re: Useless fact of the day! Dave Aitel (Jan 06)
- Re: Useless fact of the day! J.A. Terranson (Jan 06)
- Re: Useless fact of the day! Pusscat (Jan 06)
- Re: Useless fact of the day! Dave Aitel (Jan 06)
- <Possible follow-ups>
- Re: Useless fact of the day! Steven M. Christey (Jan 08)
- Re: Useless fact of the day! Rhys Kidd (Jan 06)