Re: RFP9903: AeDubug vulnerabilty

[mdixon () TYNDALL COM AU (Mark Dixon ext3456)]

Even though .rain.forest.puppy has cancelled RFP9903 I think it's worth
making a couple of comments...

> > 1) Find a machine with 139 listening
>
> This is typically an issue when attacking remotely through the Internet.
> However, this seems to dissolve when you have internal access (inside
> job).  Check out the numbers for the 1999 CSI-FBI incident survey,
> regarding internal security problems at www.gocsi.com/summary.htm

I have to agree with .rain.forest.puppy here. I need to secure my network
against LAN users just as much as outside users. Just look at the number of
exploits that appear on bugtraq that require local accounts. These types of
problems are still very real.

> > 2) Get a user account (anonymous won't do)

Again a user account is not necessarily a problem if you're in the LAN, but
don't NT servers only allow administrators to read the registry by default
???? Mine are certainly setup this way.

> > 3) See if that particular machine allows rights to AeDebug (most don't)
>
> Accept, amazingly, mine (of course).

and mine...   EVERY single NT server I have here had the permission's
described by .rain.forest.puppy. (including Winframe server .. even more
scary).
 While I can't argue what the default permission's are (I don't have a
pristine machine around) I can say that one of these servers was completely
rebuilt last week. The only additional software installed was  Insight
Manager Agent, Arcserve Agent,  Compaq SSD and SP3 (I know its old..). I
noticed that Compaq machines use their own debugger, maybe this is what's
screwed my permission's ?

> > 4) Put a binary on the system
>
> If you can run programs, you can (attempt) to use ftp or rcp to pull files
> in.  I realize this is dependant on outgoing firewall rules, access to the
> commands, etc.  But it's not impossible--these methods have been used by
> many people contacting me on the RDS issue.

UNC paths work here. If you can setup your own share with guest access I
believe you can run whatever you like from it.

> > 5) Make something crash that has higher access rights than you do

Well here's the real problem. ..I guess you'd just have to hang around and
wait...

        Regards,

                        Mark.

<!-- body="end" -->
<HR>

<UL>
<LI><STRONG>Next message:</STRONG> Brock Tellier: "Fwd: [Re: RH6.0 local/remote command execution]"
<LI><STRONG>Previous message:</STRONG> asouza () HITECH COM BR: "Re: One more weakness In "The Matrix" Screensaver For 
Windows"
<LI><STRONG>Next in thread:</STRONG> David LeBlanc: "Re: RFP9903: AeDubug vulnerabilty"
<LI><STRONG>Reply:</STRONG> David LeBlanc: "Re: RFP9903: AeDubug vulnerabilty"
</UL>
<HR>

<SMALL>

This archive was generated by hypermail 2.0b3 
on Wed Oct 06 1999 - 13:43:35 CDT</EM>
</EM>
</SMALL>
</BODY>
</HTML>