Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] NULL Sessions Vulnerabilities Using Alternate Named Pipes

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] NULL Sessions Vulnerabilities Using Alternate Named Pipes
Date: 11 Jul 2005 19:33:14 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  NULL Sessions Vulnerabilities Using Alternate Named Pipes
------------------------------------------------------------------------


SUMMARY

By taking advantage of hardcoded named pipes allowed for NULL sessions and 
using the property of MSRPC that, by default, all available RPC interfaces 
in a process can be reached using any opened endpoint, it is possible to 
anonymously enumerate Windows services and read the Application and System 
eventlogs.

DETAILS

Vulnerable Systems:
 * Windows NT 4.0, Windows 2000 prior to URP1 for Windows 2000 SP4

Windows XP and Windows Server 2003 are not directly affected by the 
vulnerabilities described in this document.
Still, the alternate named pipes technique also applies to Windows XP and 
Windows Server 2003, including Windows XP SP2 and Windows Server 2003 SP1.

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2150> 
CAN-2005-2150

Anonymous Windows service enumeration:
The svcctl MSRPC interface is used to communicate with the  
<http://www.hsc.fr/ressources/articles/win_net_srv/ch04s07s09.html> 
Windows SCM (Service Control Manager).

The svcctl vulnerability allows an anonymous user to connect to the SCM 
(Service Control Manager). It is then possible to enumerate installed or 
running services. See image at:  
<http://www.hsc.fr/ressources/presentations/null_sessions/img16.html> 
http://www.hsc.fr/ressources/presentations/null_sessions/img16.html
Depending on the security descriptor protecting each service (stored in 
binary under the Security registry subkey of each service's subkey), it 
might be possible to anonymously start or even stop a Windows service.
Because in Windows NT 4.0 and Windows 2000, the EVERYONE group contains 
the ANONYMOUS LOGON SID, a service with a weak DACL allowing members of 
the EVERYONE group to start (or stop) the service can be remotely started 
or stopped anonymously.

For more information about services permissions, see  
<http://cert.uni-stuttgart.de/archive/bugtraq/2004/10/msg00159.html> 
http://cert.uni-stuttgart.de/archive/bugtraq/2004/10/msg00159.html

Anonymousl Application and System eventlogs read:
The  <http://www.hsc.fr/ressources/articles/win_net_srv/ch04s07s06.html> 
eventlog MSRPC interface is used to communicate with the Windows eventlog 
service. The eventlog vulnerability can be used to anonymously read either 
the Application or System eventlog of a remote Windows NT 4.0 or Windows 
2000 system.

It is not possible to read the Security eventlog because a specific 
Windows privilege must be held by the caller process 
(SeSecurityPrivilege).

Vendor Status:
Both vulnerabilities are fixed in the URP1 for Windows 2000 SP4 recently 
released by the vendor:  <http://support.microsoft.com/kb/900345/> 
http://support.microsoft.com/kb/900345/
The svcctl vulnerability was fixed by modifying the SCM DACL (enforced 
when the OpenSCManager{A,W} operation is used), denying access for the 
ANONYMOUS LOGON SID.
The eventlog vulnerability was fixed by using a RPC callback function for 
the eventlog interface, to reject unauthenticated binds.

Workarounds:
It is possible to protect against the eventlog vulnerability by adding and 
setting to 1 the RestrictGuestAccess registry value, under the following 
two registry keys:
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System\
In Windows 2000, the RestrictGuestAccess value can be set using the 
following security options:
 * Restrict guest access to application log
 * Restrict guest access to system log
These settings are mentioned in the following article:  
<http://support.microsoft.com/kb/842209> 
http://support.microsoft.com/kb/842209
It is recommended to set these registry values on Windows NT 4.0 systems, 
where no other workaround is available.

Vulnerability Assessment:
svcctl vulnerability:  
<http://www.nessus.org/plugins/index.php?view=single&id=18585> 
http://www.nessus.org/plugins/index.php?view=single&id=18585
eventlog vulnerability:  
<http://www.nessus.org/plugins/index.php?view=single&id=18602> 
http://www.nessus.org/plugins/index.php?view=single&id=18602

For more information, see the following documents:
 *  <http://www.hsc.fr/ressources/presentations/null_sessions/> MSRPC null 
sessions: exploitation and protection
 *  <http://www.hsc.fr/ressources/articles/win_net_srv/> Windows network 
services internals

Disclosure Timeline:
2004/01/23: Vulnerability reported to vendor
2004/02/12: Vendor announces its intention to release fixes as part of the 
next Windows 2000 Service Pack
2004/09/09: A related vulnerability affecting Windows XP SP2 is published
2005/02/08: Release of MS05-007, fixing a specific instance of a similar 
vulnerability in Windows XP and Windows XP SP2
2005/02/28: Private versions of Windows 2000 fixes available for test
2005/03/30: Confirmation that tested fixes correct the vulnerability
2005/06/28: Release of URP1 for Windows 2000 SP4, which includes fixes for 
Windows 2000


ADDITIONAL INFORMATION

The information has been provided by  
<mailto:Jean-Baptiste.Marchand@hsc.fr> Jean-Baptiste Marchand.
The original article can be found at:  
<http://www.hsc.fr/ressources/presentations/null_sessions/> 
http://www.hsc.fr/ressources/presentations/null_sessions/



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] NULL Sessions Vulnerabilities Using Alternate Named Pipes, SecuriTeam <=
Previous by Date:  [REVS] Analysis of a win32 Userland Rootkit, SecuriTeam
Next by Date:  [NT] Vulnerability in Microsoft Color Management Module Could Allow Remote Code Execution (MS05-036), SecuriTeam
Previous by Thread:  [REVS] Analysis of a win32 Userland Rootkit, SecuriTeam
Next by Thread:  [NT] Vulnerability in Microsoft Color Management Module Could Allow Remote Code Execution (MS05-036), SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]