Bugtraq mailing list archives
Re: RFP9903: AeDubug vulnerabilty
From: mdixon () TYNDALL COM AU (Mark Dixon ext3456)
Date: Wed, 6 Oct 1999 16:34:29 +1000
Even though .rain.forest.puppy has cancelled RFP9903 I think it's worth making a couple of comments...
1) Find a machine with 139 listeningThis is typically an issue when attacking remotely through the Internet. However, this seems to dissolve when you have internal access (inside job). Check out the numbers for the 1999 CSI-FBI incident survey, regarding internal security problems at www.gocsi.com/summary.htm
I have to agree with .rain.forest.puppy here. I need to secure my network against LAN users just as much as outside users. Just look at the number of exploits that appear on bugtraq that require local accounts. These types of problems are still very real.
2) Get a user account (anonymous won't do)
Again a user account is not necessarily a problem if you're in the LAN, but don't NT servers only allow administrators to read the registry by default ???? Mine are certainly setup this way.
3) See if that particular machine allows rights to AeDebug (most don't)Accept, amazingly, mine (of course).
and mine... EVERY single NT server I have here had the permission's described by .rain.forest.puppy. (including Winframe server .. even more scary). While I can't argue what the default permission's are (I don't have a pristine machine around) I can say that one of these servers was completely rebuilt last week. The only additional software installed was Insight Manager Agent, Arcserve Agent, Compaq SSD and SP3 (I know its old..). I noticed that Compaq machines use their own debugger, maybe this is what's screwed my permission's ?
4) Put a binary on the systemIf you can run programs, you can (attempt) to use ftp or rcp to pull files in. I realize this is dependant on outgoing firewall rules, access to the commands, etc. But it's not impossible--these methods have been used by many people contacting me on the RDS issue.
UNC paths work here. If you can setup your own share with guest access I believe you can run whatever you like from it.
5) Make something crash that has higher access rights than you do
Well here's the real problem. ..I guess you'd just have to hang around and wait... Regards, Mark. <!-- body="end" --> <HR> <UL> <LI><STRONG>Next message:</STRONG> Brock Tellier: "Fwd: [Re: RH6.0 local/remote command execution]" <LI><STRONG>Previous message:</STRONG> asouza () HITECH COM BR: "Re: One more weakness In "The Matrix" Screensaver For Windows" <LI><STRONG>Next in thread:</STRONG> David LeBlanc: "Re: RFP9903: AeDubug vulnerabilty" <LI><STRONG>Reply:</STRONG> David LeBlanc: "Re: RFP9903: AeDubug vulnerabilty" </UL> <HR> <SMALL> This archive was generated by hypermail 2.0b3 on Wed Oct 06 1999 - 13:43:35 CDT</EM> </EM> </SMALL> </BODY> </HTML>
Current thread:
- Re: RFP9903: AeDubug vulnerabilty Mark Dixon ext3456 (Oct 05)
- Re: RFP9903: AeDubug vulnerabilty David LeBlanc (Oct 07)
- <Possible follow-ups>
- Re: RFP9903: AeDubug vulnerabilty Mark Dixon (Oct 09)
- Re: RFP9903: AeDubug vulnerabilty Steve Coleman (Oct 12)
- Re: RFP9903: AeDubug vulnerabilty David Zverina (Oct 14)
- Re: RFP9903: AeDubug vulnerabilty David LeBlanc (Oct 12)
- Re: RFP9903: AeDubug vulnerabilty Jesper M. Johansson (Oct 12)
- Resistance is futile, or what I learned trying to secure the scanner Blue Boar (Oct 12)
- SECURITY: RHSA-1999:040 New PAM packages available Cristian Gafton (Oct 12)
- Re: RFP9903: AeDubug vulnerabilty Steve Coleman (Oct 12)