From: Jean-Baptiste Marchand (Jean-Baptiste.MarchandHSC.FR)
Date: Sun Oct 19 2003 - 08:24:13 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Graham, Robert (ISS Atlanta) <rgrahamISS.NET> [16/10/03 - 18:25]:

> One of the interesting aspects of the Messenger bug is that the patch
> disables the MS-RPC interface to the Messenger Service.

Actually, the patch disables one of the two RPC interfaces that run in
the Messenger service.

The Messenger service runs two RPC services, that listen on the
following endpoints:

- \pipe\msgsvc named pipe (ncacn_np transport)
- a dynamic UDP port (ncadg_ip_udp transport)

Y:\>ifids -p ncacn_np -e \pipe\msgsvc \\.
Interfaces: 42

[...]

  17fdd703-1827-4e34-79d4-24a55c53bb37 v1.0
  5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0

Y:\>ifids -p ncadg_ip_udp -e 4870 127.0.0.1
Interfaces: 42

[...]

  17fdd703-1827-4e34-79d4-24a55c53bb37 v1.0
  5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0

The vulnerability found by LSD apparently affects the second interface,
which contains only one operation, NetrSendMessage. Ethereal has a
dissector for this interface:

http://www.ethereal.com/cgi-bin/viewcvs.cgi/ethereal/packet-dcerpc-messenger.c

The MS03-043 patch completely removes support of the NetrSendMessage
API. The server stub support was removed from msgsvc.dll (messenger
service), as well as the client stub support, from wkssvc.dll
(workstation service).

Jean-Baptiste Marchand
--
Jean-Baptiste.Marchandhsc.fr
HSC - http://www.hsc.fr/

----
NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
code "NT1003" when registering to take the TICSA exam at www.2test.com.
Prove to your employer and peers that you have the knowledge and
abilities to be an active stakeholder in today's enterprise security.
Become TICSA certified www.trusecure.com/ticsa. Promotion expires
12/31/03 and cannot be used in combination with other offers.

----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]