Full Disclosure mailing list archives
Re: NULL sessions on Windows 2000 systems [Was: Re: [Full-disclosure] Re:It's not that simple...]
From: yossarian <yossarian () planet nl>
Date: Thu, 18 Aug 2005 15:59:45 +0200
You imply with 'hard-coded' that removing them from the registry does not help. This is new to me? Can you plz. elaborate? ----- Original Message ----- From: "Jean-Baptiste Marchand" <jbm.lists () gmail com>
To: <full-disclosure () lists grok org uk> Sent: Thursday, August 18, 2005 9:58 AMSubject: NULL sessions on Windows 2000 systems [Was: Re: [Full-disclosure] Re:It's not that simple...]
* yossarian <yossarian () planet nl>:In the original X-Force paper named pipes were mentioned besides NullSessions. Does it need both or either one - the paper isn't clear on this? The named pipes seem to have dropped from all discussion.... Anyway, never broke anything by disabling them, either. This is a registry hack describedin the MS Hardening guides for 2000 and 2003 server. Just like Null sessions. Elsewhere dunno, but probably, never bothered.A NULL session usually refers to an anonymous connection to the IPC$ share, giving remote access to named pipes. Some named pipes can be opened anonymously (these named pipes appear in the NullSessionPipes registry value), i.e. in the context of a NULL session. In addition, 6 named pipes are harcoded in Windows 2000 and can always be opened anonymously: http://www.hsc.fr/ressources/presentations/null_sessions/img7.html The recent PnP vulnerability (MS05-039) can be anonymously exploited on Windows 2000 systems with 139/tcp or 445/tcp open, *except* if the RestrictAnonymous registry value is set to 2. This is because the only way to disable NULL sessions *entirely* on Windows 2000 is to set RestrictAnonymous to 2: http://www.hsc.fr/ressources/presentations/null_sessions/img23.html Please read my recent presentation about NULL sessions, many people seem to know about NULL sessions but fewer people really understand the technical details: http://www.hsc.fr/ressources/presentations/null_sessions/ -- Jean-Baptiste Marchand _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: It's not that simple... [Was: Re: Disney Down?], (continued)
- Re: It's not that simple... [Was: Re: Disney Down?] James Tucker (Aug 19)
- Re: It's not that simple... [Was: Re: Disney Down?] Barrie Dempster (Aug 19)
- Re: It's not that simple... [Was: Re: Disney Down?] Ron DuFresne (Aug 17)
- Re: It's not that simple... Florian Weimer (Aug 17)
- Re: Re: It's not that simple... Jason Coombs (Aug 17)
- Re: Re: It's not that simple... Kurt Seifried (Aug 17)
- Re: Re: It's not that simple... Micheal Espinola Jr (Aug 17)
- Re: Re: It's not that simple... Jason Coombs (Aug 17)
- Re: Re: It's not that simple... yossarian (Aug 17)
- NULL sessions on Windows 2000 systems [Was: Re: Re: It's not that simple...] Jean-Baptiste Marchand (Aug 18)
- Re: NULL sessions on Windows 2000 systems [Was: Re: [Full-disclosure] Re:It's not that simple...] yossarian (Aug 18)
- Message not available
- Re: Re: It's not that simple... Jason Coombs (Aug 17)
- Re: Re: It's not that simple... Florian Weimer (Aug 17)
- RE: Re: It's not that simple... Paul Melson (Aug 18)
- Re: Re: It's not that simple... Valdis . Kletnieks (Aug 18)
- Re: Re: It's not that simple... Micheal Espinola Jr (Aug 18)
- Re: Re: It's not that simple... Micheal Espinola Jr (Aug 18)