Re: Useless fact of the day!

["Dave Aitel" <dave.aitel () gmail com>]

I think it's hard to find an MSRPC interface that doesn't have a memory
exhaustion bug. Maybe I'll make ImmDBG automatically point them out next
week. I guess theoretically we can have ImmDBG shuttle that information off
to VisualSploit to automatically write a CANVAS exploit too. Or even better,
a SILICA module for it such that you walk into a room and everyone's Windows
machines stop working. Good for when you want all the bandwidth at a
security convention. :> We don't have the NetrWkstaUserEnum DoS in CANVAS
right now - we do use the function though to remotely get logged on users
against XP SP2.

It's not an easy bug for Microsoft to fix, but the hilarious thing is that
they didn't even bother. I wonder if Vista is vulnerable too - I'm betting
yes. :>

The other thing I want to try some day is using the LSA Open Handle stuff
remotely to just open an infinite number of handles. Every one's so picky in
MSDN about always closing the handles to avoid handle leaks, but I'm betting
Win32 will be ok even if you don't. And if it's not, hey, no more handles
for anyone, anonymously and remotely, which is also fun. :> Maybe someone's
already done this and can save us all the trouble?

I dunno. These are all half-day projects, and there are always more
interesting bugs to play with in your half-day allotment. Yesterday I spent
the half-day of technical work I get a week inside a debugger looking at a
strncpy() stack overflow. They still exist! It's like finding a cod off the
Massachusetts coast.
-dave


P.S. Why are all of these different CVE numbers. Is CVE about the
vulnerability, or the endpoint you can touch it through? There's some sort
of rainbow going from a particular class of vulnerabilities through a
particular vulnerability through an exploit through a single instance of
someone exploiting a machine with an exploit and I sense everyone's naming
schemes are just like someone pointing to a color frequency and calling it
blue.



On 1/6/07, Rhys Kidd <rhyskidd () gmail com> wrote:
> RPC memory exhaustion bugs are all the rage atm it would seem,
> hopefully this will provide the traction for MSRC to give it
> priority....
>
> It's also interesting that ISC believe for servers that the current
> UPnP and SPOOLSS bugs are 'Important', whereas the more recent
> NetrWkstaUserEnum() bug is only 'Less Urgent'.
>
> They are pretty much the same, due to unvalidated client input, and in
> fact the NetrWkstaUserEnum() opnum ( through the wkssvc named pipe )
> is usually bindable over an anonymous NULL session.
>
> - Rhys
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave