I think it's hard to find an MSRPC interface that doesn't have a memory exhaustion bug. Maybe I'll make ImmDBG automatically point them out next week. I guess theoretically we can have ImmDBG shuttle that information off to VisualSploit to automatically write a CANVAS exploit too. Or even better, a SILICA module for it such that you walk into a room and everyone's Windows machines stop working. Good for when you want all the bandwidth at a security convention. :> We don't have the NetrWkstaUserEnum DoS in CANVAS right now - we do use the function though to remotely get logged on users against XP SP2.
<br><br>It's not an easy bug for Microsoft to fix, but the hilarious thing is that they didn't even bother. I wonder if Vista is vulnerable too - I'm betting yes. :><br><br>The other thing I want to try some day is using the LSA Open Handle stuff remotely to just open an infinite number of handles. Every one's so picky in MSDN about always closing the handles to avoid handle leaks, but I'm betting Win32 will be ok even if you don't. And if it's not, hey, no more handles for anyone, anonymously and remotely, which is also fun. :> Maybe someone's already done this and can save us all the trouble?
<br><br>I dunno. These are all half-day projects, and there are always more interesting bugs to play with in your half-day allotment. Yesterday I spent the half-day of technical work I get a week inside a debugger looking at a strncpy() stack overflow. They still exist! It's like finding a cod off the Massachusetts coast.
<br>-dave<br><br><br>P.S. Why are all of these different CVE numbers. Is CVE about the
vulnerability, or the endpoint you can touch it through? There's some
sort of rainbow going from a particular class of vulnerabilities
through a particular vulnerability through an exploit through a single
instance of someone exploiting a machine with an exploit and I sense
everyone's naming schemes are just like someone pointing to a color
frequency and calling it blue.<br>
<br><br><br><div><span class="gmail_quote">On 1/6/07, <b class="gmail_sendername">Rhys Kidd</b> <<a href="mailto:rhyskidd@gmail.com">rhyskidd@gmail.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
RPC memory exhaustion bugs are all the rage atm it would seem,<br>hopefully this will provide the traction for MSRC to give it<br>priority....<br><br>It's also interesting that ISC believe for servers that the current
<br>UPnP and SPOOLSS bugs are 'Important', whereas the more recent<br>NetrWkstaUserEnum() bug is only 'Less Urgent'.<br><br>They are pretty much the same, due to unvalidated client input, and in<br>fact the NetrWkstaUserEnum() opnum ( through the wkssvc named pipe )
<br>is usually bindable over an anonymous NULL session.<br><br>- Rhys<br><br></blockquote></div>