[36965] in bugtraq
ms04-031 pre-auth ??
daemon@ATHENA.MIT.EDU (Sinan Eren)
Mon Oct 18 11:22:32 2004
Date: Mon, 18 Oct 2004 09:35:22 -0400 (EDT)
From: Sinan Eren <sinan.eren@immunitysec.com>
To: bugtraq@securityfocus.com, dailydave@lists.immunitysec.com
Message-ID: <Pine.LNX.4.58.0410180911040.1669@juneof44.immunitysec>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx
We have located the vulnerable function and just recently wrote the
CANVAS module for it but all our tests showed that the NetDDE
vulnerability can not be exploited with a NULL session a.k.a
with "Anonymous Logon" credentials.
Here are some reasons why we think NetDDE rpc interface procedure calls
can only be done after authentication (any local or domain user)
1- \pipe\nddeapi named pipe do not have the "Anonymous Logon" credentials
2- HKLM\SYSTEM\ControlSet001\Services\lanmanserver\parameters\NullSessionPipes
do not list the nddeapi pipe in any of the current windows OS installs
3- \pipe\nddeapi is not hardcoded in the srv.sys driver (please check:
http://www.hsc.fr/ressources/articles/win_net_srv/index.html.en#htoc33 )
Please feel free to correct us! We will be delighted to hear that this
vuln is actually a pre-auth ;)
The most puzzling question is why does Microsoft "upplays" this
vulnerabilities severity rather than the usual downplaying efforts ?
I remember a good friend reporting them a remote ring-0 vulnerability
in terminal services which they silently fixed in SP3 and dont even bother
to credit him because they simply believe only remote DOS can be achieved
with a remote kernel overflow!! So does that mean MS changed its policy
regarding vulnerability severity assesment or they have a ongoing love
relation with NGS ? puzzles the mind ;)
cheers,
Sinan Eren
Immunity Research
