Re: Multiple Remote DoS vulnerabilities in Microsoft DCE/RPC deamons

[Georgi Guninski <guninski () guninski com>]

Todd Sabin wrote:
> BindView Security Advisory
> --------
>
> Multiple Remote DoS vulnerabilities in Microsoft DCE/RPC deamons
> Issue Date: July 30, 2001
> Contact:  tsabin () razor bindview com
>
> Topic:
> Many Microsoft DCE/RPC servers are vulnerable to remote DoS attacks
>
> Overview:
> Many DCE/RPC servers don't do proper parameter validation, and can
> be crashed by sending an improperly formatted request.

There is some probability this may be more than just a DoS if
an attacker may execute programs on the server.
My idea is to crash a process which owns a named pipe, create a named
pipe with the same name and then wait or force some other service or user to write 
to the false pipe and then impersonate it, which may lead to elevation of privileges.
Details on similar problem in which crashing LSASS.EXE leads to elevation of privileges is
available at: http://www.guninski.com/dr07.html
Have not verified whether in Bindview's case this idea shall work or not.

Georgi Guninski
http://www.guninski.com