[11980] in bugtraq
Re: Update to ODBC/RDS vulnerabilities
daemon@ATHENA.MIT.EDU (rfp@WIRETRIP.NET)
Thu Sep 23 18:49:48 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.9909222034170.25636-100000@eight.wiretrip.net>
Date: Wed, 22 Sep 1999 20:50:27 -0500
Reply-To: rfp@WIRETRIP.NET
From: rfp@WIRETRIP.NET
X-To: David LeBlanc <dleblanc@microsoft.com>
To: BUGTRAQ@SECURITYFOCUS.COM
> You did your testing as an administrator on the machine. Network
No, I specifically did *NOT* do this, to avoid the same goofs that the
guy who did the latest DCOM posts did. Not that it was his fault; I
was just wary of where he went wrong, and tried to avoid that.
I specifically yanked one machine out of the domain and made it into
another workgroup instead. I created a local account on that box of user
'rfp', no special rights (normal user). I used this to query regedit
from. I created the account from scratch to make sure it was clean.
On the servers, on one I added domain account rfp, normal user. Different
password than the first so I know I would be prompted for login/password
when connecting. On another server which was only in the workgroup, I
added a local user, same as above. Normal user rights, no administrative
stuff. Again, freshly created accounts to make sure nothing silly was
going on.
Then I queried from 'remote', non-associated box to these servers. I
enter the login/password of rfp. That's logging in as rfp on one box,
authenticating as rfp to the second, no administrative mojo to been seen.
I was able to view the registry, and change that key. Total 'cross
mojonation'.
But I see your point on being limited by 'AllowedPaths'. Has anyone else
been able to recreate this? What you say makes sense, so I don't know why
it would work on mine. My NT configurations are not custom nor fancy.
> It is also generally a good practice to place router filters in front of
> your internet-exposed web servers such that they cannot make outbound
> connections to places where they shouldn't. People who took such
> precautions found that things such as the .htr overflow didn't work, and
> would prevent your UNC path variant from working. Turning off the
Right.
> Server and Workstation services, as well as unbinding NetBIOS from the
> external interface would also prevent an attack involving an external
> UNC path from working.
I said it as an FYI of another approach to he exploit potential. If your
box was locked down in the first place none of this would be an issue, no?
:) After all, RDS stuff is slightly in the sample-scripts arena--everyone
should know better.
But they don't.
Cheers,
.r.f.p.
