Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: MS03-043 Popup Messenger Servce buffer-overflow
From: Jean-Baptiste Marchand (Jean-Baptiste.MarchandHSC.FR)
Date: Sun Oct 19 2003 - 08:24:13 CDT
* Graham, Robert (ISS Atlanta) <rgrahamISS.NET> [16/10/03 - 18:25]:
> One of the interesting aspects of the Messenger bug is that the patch
> disables the MS-RPC interface to the Messenger Service.
Actually, the patch disables one of the two RPC interfaces that run in
the Messenger service.
The Messenger service runs two RPC services, that listen on the
- \pipe\msgsvc named pipe (ncacn_np transport)
- a dynamic UDP port (ncadg_ip_udp transport)
Y:\>ifids -p ncacn_np -e \pipe\msgsvc \\.
Y:\>ifids -p ncadg_ip_udp -e 4870 127.0.0.1
The vulnerability found by LSD apparently affects the second interface,
which contains only one operation, NetrSendMessage. Ethereal has a
dissector for this interface:
The MS03-043 patch completely removes support of the NetrSendMessage
API. The server stub support was removed from msgsvc.dll (messenger
service), as well as the client stub support, from wkssvc.dll
HSC - http://www.hsc.fr/
NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
code "NT1003" when registering to take the TICSA exam at www.2test.com.
Prove to your employer and peers that you have the knowledge and
abilities to be an active stakeholder in today's enterprise security.
Become TICSA certified www.trusecure.com/ticsa. Promotion expires
12/31/03 and cannot be used in combination with other offers.