Re: Useless fact of the day!

[Pusscat <pusscat () gmail com>]

We¹ve had a patch for UNMIDL that marked them in the output since the very
first one was patched ­ it might actually be attached to our paper ;)


On 1/6/07 12:48 PM, "Dave Aitel" <dave.aitel () gmail com> wrote:

> I think it's hard to find an MSRPC interface that doesn't have a memory
> exhaustion bug. Maybe I'll make ImmDBG automatically point them out next week.
> I guess theoretically we can have ImmDBG shuttle that information off to
> VisualSploit to automatically write a CANVAS exploit too. Or even better, a
> SILICA module for it such that you walk into a room and everyone's Windows
> machines stop working. Good for when you want all the bandwidth at a security
> convention. :> We don't have the NetrWkstaUserEnum DoS in CANVAS right now -
> we do use the function though to remotely get logged on users against XP SP2.
>
> It's not an easy bug for Microsoft to fix, but the hilarious thing is that
> they didn't even bother. I wonder if Vista is vulnerable too - I'm betting
> yes. :>
>
> The other thing I want to try some day is using the LSA Open Handle stuff
> remotely to just open an infinite number of handles. Every one's so picky in
> MSDN about always closing the handles to avoid handle leaks, but I'm betting
> Win32 will be ok even if you don't. And if it's not, hey, no more handles for
> anyone, anonymously and remotely, which is also fun. :> Maybe someone's
> already done this and can save us all the trouble?
>
> I dunno. These are all half-day projects, and there are always more
> interesting bugs to play with in your half-day allotment. Yesterday I spent
> the half-day of technical work I get a week inside a debugger looking at a
> strncpy() stack overflow. They still exist! It's like finding a cod off the
> Massachusetts coast.
> -dave
>
>
> P.S. Why are all of these different CVE numbers. Is CVE about the
> vulnerability, or the endpoint you can touch it through? There's some sort of
> rainbow going from a particular class of vulnerabilities through a particular
> vulnerability through an exploit through a single instance of someone
> exploiting a machine with an exploit and I sense everyone's naming schemes are
> just like someone pointing to a color frequency and calling it blue.
>
>
>
> On 1/6/07, Rhys Kidd <rhyskidd () gmail com> wrote:
> > RPC memory exhaustion bugs are all the rage atm it would seem,
> > hopefully this will provide the traction for MSRC to give it
> > priority....
> >
> > It's also interesting that ISC believe for servers that the current
> > UPnP and SPOOLSS bugs are 'Important', whereas the more recent
> > NetrWkstaUserEnum() bug is only 'Less Urgent'.
> >
> > They are pretty much the same, due to unvalidated client input, and in
> > fact the NetrWkstaUserEnum() opnum ( through the wkssvc named pipe )
> > is usually bindable over an anonymous NULL session.
> >
> > - Rhys
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> http://lists.immunitysec.com/mailman/listinfo/dailydave


~ Puss

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave