Dailydave mailing list archives
IPP +SMB FTW
From: Dave Aitel <dave () immunityinc com>
Date: Fri, 17 Oct 2008 11:42:42 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Some thoughts on the IPP vulnerability follow. C.F. http://www.kb.cert.org/vuls/id/793233 as quoted below. """ IPP <http://msdn.microsoft.com/en-us/library/ms817904.aspx> is an IP-based network protocol that allows remote printing and printer management. On Windows 2000 and XP, IIS comes with IPP enabled by default. IPP is optional on Windows 2003 systems. IPP by default is configured to only allow authenticated users, however it may be configured to allow unauthenticated connections. The Microsoft Windows IPP component, which is provided by msw3prt.dll, contains an integer overflow vulnerability, which results in an overflow of heap memory. By creating a specific HTTP POST to the vulnerable server, the IPP server will attempt to connect to a printer that is specified by the attacker. If this printer returns a malformed JOB_INFO_2 <http://msdn.microsoft.com/en-us/library/ms535671%28VS.85%29.aspx> structure, the integer overflow vulnerability in IPP may be triggered, resulting in a four-byte memory overwrite, and eventually code execution on the IPP server. This vulnerability is being exploited in the wild. """ So one thing that's interesting to see that the CERT note on this is the most informative of all the public notes. I still have a lot of questions though, even after Kostya wrote up the POC for CANVAS. (Both this bug and the SMB overflow are here: http://www.immunityinc.com/ceu-index.shtml) 1. What platforms were being exploited in the wild? Was it the "easy heap overflows" Windows 2000? Or the "Not easy and not default Windows 2003 and 2008". Was it XP SP2/3 on IIS 5.1? 2. Did some target have IPP set up as Non-Authenticated access? 3. How would you discover something like this in the wild considering that you can do HTTPS and possibly SEALED SMB/RPC? 4. How did the attackers find this? 5. Is there a complexity limit for data flow and control flow after which automated static analysis will fail but humans will succeed? - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFI+LJytehAhL0gheoRAgDwAJ9Pzmm8JvnAxbKT3hM2N34gdGDHXwCfb/TC JxS/RdpZ/gzd4b0Igd8XJqk= =RJwy -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- IPP +SMB FTW Dave Aitel (Oct 17)
- Re: IPP +SMB FTW Dave Korn (Oct 17)
- Re: IPP +SMB FTW Rodney Thayer (Oct 17)