|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Georgi Guninski (guninski
guninski.com)Date: Wed Aug 01 2001 - 12:51:36 CDT
Todd Sabin wrote:
>
> BindView Security Advisory
> --------
>
> Multiple Remote DoS vulnerabilities in Microsoft DCE/RPC deamons
> Issue Date: July 30, 2001
> Contact: tsabinrazor.bindview.com
>
> Topic:
> Many Microsoft DCE/RPC servers are vulnerable to remote DoS attacks
>
> Overview:
> Many DCE/RPC servers don't do proper parameter validation, and can
> be crashed by sending an improperly formatted request.
>
There is some probability this may be more than just a DoS if
an attacker may execute programs on the server.
My idea is to crash a process which owns a named pipe, create a named
pipe with the same name and then wait or force some other service or user to write
to the false pipe and then impersonate it, which may lead to elevation of privileges.
Details on similar problem in which crashing LSASS.EXE leads to elevation of privileges is
available at: http://www.guninski.com/dr07.html
Have not verified whether in Bindview's case this idea shall work or not.
Georgi Guninski
http://www.guninski.com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]