[Dailydave] MS08-006 under rated?

Andrey Kolishchak gsw at gentlesecurity.com
Thu Feb 14 10:49:54 EST 2008 


> Yes I have seen your advisory long time ago, you didn't mention any
> technical details nor provide any code (which is OK ) so I don't

The advisory mentioning that demo is provided and it is available on
request on our web site since the moment of advisory (almost two years
for now). Given that I would say we didn't provide any code.

Now I just explained how exploit works, is it still insufficient to
judge for similarities? I'm just curious.

Thanks,
 Andrey

 

> Hi Andrey.

>>well, we have an advisory on this http://www.gentlesecurity.com/adv04302006.html
>>And also have demo that elevates IIS's NetworkService up to LocalSystem.

> Yes I have seen your advisory long time ago, you didn't mention any
> technical details nor provide any code (which is OK ) so I don't
> know if we are talking about the same problems.

>>The Microsoft's decision to run RpcSs as NetworkService is, in fact,
>>weakened the configuration. RpcSs run on behalf of LocalSystem would
>>be more secure as other NetworkService processes would not be able to
>>attack it.

> Running RpcSs as LocalSystem won't help much, still other attacks are possible.
> RpcSs process is not the only one that impersonates LocalSystem.


>>The issue with services is partly addressed in Windows Vista where
>>process objects might be owned by unique service SID, symbolic: NT
>>Service\ServiceName. However, that is not enabled for all services by
>>default. Not even all services coming with Vista support unique
>>service SIDs.
>><http://www.gentlesecurity.com/blog/andr/cracking_windows_access_control.pdf>
>>I guess, you mentioning the same problem and would be interested to
>>hear more about if that is something new.

> Again, you are not mentioning technical details nor providing code 
> (which is OK ) so I don't know if we are talking about the same problems.

>>But NetworkService is particularly dangerous, even without this
>>problem. NetworkService has permissions to issue SIO_RCVALL on sockets
>>and sniff machine's network traffic (note, no additional driver is
>>required).

> This is cool, I didn't know about this, again we can see how many
> problems related with NetworkServer and LocalServer there are.


> PS: I know i'm not providing technical details nor code I can't
> because I will present this stuff at a conference. Anyways this
> thread is bringing to light interesting stuff.

> Cesar.

More information about the Dailydave mailing list