Re: Privilege Scalation for Windows Networks using weak Service restrictions v2.0 exploit

[Andres Tarasco <atarasco () gmail com>]

Hi,

Not all windows versions are affected. The services listed below have been
found on several pen-tests.

As far as i know, the only way to know if you system is vulnerable to this
issue, is testing it with srvcheck because i have found win2k server boxes,
with all patches, with more than 20 vulnerable services. Why? maybe admins..
maybe an old FAT32 file system...

If your computer has a vulnerable service, just deploy an administrative
template (.inf) with the right permissions (remove modify privileges for
everyone/authenticated users/power users/... accounts)


regards,

Andres Tarasco

2006/2/12, ad () heapoverflow com <ad () heapoverflow com>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Andres Tarasco wrote:
> > Proof of concept of Sudhakar Govindavajhala and Andrew Appel paper
> > (http://www.cs.princeton.edu/~sudhakar/papers/winval.pdf) Running
> > as an unprivileged user you can test if your services are
> > vulnerable and can be used to install a backdoor. Both source code
> > and binary included *Microsoft advisory:
> > http://microsoft.com/technet/security/advisory/914457.mspx*
> >
> > *SrvCheck v2.0 is able to perform this checks remotely using for
> > example domain user credentials* *Here is a short list of Known
> > vulnerable services under XP sp2:*
> >
> > *- Advanced User: * service: DcomLaunch ( SYSTEM ) Service:
> > UpnpHost ( Local Service ) Service: SSDPSRV (Local Service) *-
> > User: * Service: UpnpHost ( Local Service ) Service: SSDPSRV (Local
> > Service) *- Network Config Operators:* service: DcomLaunch ( SYSTEM
> > ) Service: UpnpHost ( Local Service ) Service: SSDPSRV (Local
> > Service) Service: DHCP ( SYSTEM ) Service: NetBT (SYSTEM - .sys
> > driver) Service DnsCache (SYSTEM)
>
> but ms put
>
> *Is this a security vulnerability that requires Microsoft to issue a
> security update?*
> Microsoft is still investigating this issue. Customers who have
> installed Windows XP Service Pack 2 and Windows Server 2003 Service
> Pack 1 are not affected by this issue.
>
>
>
>
> ??
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (MingW32)
>
> iQIVAwUBQ++CaK+LRXunxpxfAQIKgRAA3v7vc+8wGM+qFS73NmYtvsYpBPgfjRUo
> ph7vPpvZd8gNVCGHPhES8DHvER+a4h5wzqSOBjBgwhuWFqlFPRlKxsXsM0+s4Qza
> PfLyJ6aMFqqxEfDBA6KxHJxtvOAX8uwj4PBLhIqH51pP5U6qziU7RbRf4i2yvWsG
> jm/ArJGmiKSgRYwJmOHnVZSxXm/Ivd4+FcBe8MqaCmYCm0qeOi/8w2uZ5rl4/uTw
> IfM/5HWxBCwcujUNzVg6/xcTiB+d/Ve6TtI/+MLbtmxBiyYVP5rJtWsYexy1Gt97
> lheOZJbsmF30SQh+UcWh2dDHVl3ToDcaVWA+5z8LKVsqefqMesi6Fm/tVn4pEU2M
> 9Bdro0TtrdtridlFDmeTU5594aQFR+V+q1m8eVb7osEbgEdsS1QZC7e9ulfMCAIJ
> fI6a/6VPMyjuuYlK0vMHLEpTPbZCgSqG+XaWMM7qX8FkqTymQjPAk0JRjriV8MC5
> eB3lV0C+0VHqke+yvXwQMD4pudb1+kNiB4rd/66Y/1d+Soe3O3E31/piOvKIHrxS
> wNZmssBVCFuxcoS8sbhh7H8LKE7uu+4q+Vc/J23orPna4lKfQvYQvxKfz8qoNGwb
> Aui67vNRxRbYfPJNG7MCRQaRgBIbgAE6n2gRBzR+lSQvrAsa0EpxMPanquD4Rm0k
> FFyMk03Essg=
> =hRrT
> -----END PGP SIGNATURE-----


--
Loco de aTar

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/