Re: Update to ODBC/RDS vulnerabilities

From: rfpat_private
Date: Wed Sep 22 1999 - 18:50:27 PDT

Next message: Brock Tellier: "SuSE 6.2 sccw overflow exploit"

Previous message: Steve Mynott: "LD_PROFILE local root exploit for solaris 2.6"
Maybe in reply to: rfpat_private: "Update to ODBC/RDS vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> You did your testing as an administrator on the machine.  Network

No, I specifically did *NOT* do this, to avoid the same goofs that the
guy who did the latest DCOM posts did.  Not that it was his fault; I
was just wary of where he went wrong, and tried to avoid that.

I specifically yanked one machine out of the domain and made it into
another workgroup instead.  I created a local account on that box of user
'rfp', no special rights (normal user).  I used this to query regedit
from.  I created the account from scratch to make sure it was clean.

On the servers, on one I added domain account rfp, normal user.  Different
password than the first so I know I would be prompted for login/password
when connecting.  On another server which was only in the workgroup, I
added a local user, same as above.  Normal user rights, no administrative
stuff.  Again, freshly created accounts to make sure nothing silly was
going on.

Then I queried from 'remote', non-associated box to these servers.  I
enter the login/password of rfp.  That's logging in as rfp on one box,
authenticating as rfp to the second, no administrative mojo to been seen.
I was able to view the registry, and change that key.  Total 'cross
mojonation'.

But I see your point on being limited by 'AllowedPaths'.  Has anyone else
been able to recreate this?  What you say makes sense, so I don't know why
it would work on mine.  My NT configurations are not custom nor fancy.

> It is also generally a good practice to place router filters in front of
> your internet-exposed web servers such that they cannot make outbound
> connections to places where they shouldn't.  People who took such
> precautions found that things such as the .htr overflow didn't work, and
> would prevent your UNC path variant from working.  Turning off the

Right.

> Server and Workstation services, as well as unbinding NetBIOS from the
> external interface would also prevent an attack involving an external
> UNC path from working.

I said it as an FYI of another approach to he exploit potential.  If your
box was locked down in the first place none of this would be an issue, no?
:)  After all, RDS stuff is slightly in the sample-scripts arena--everyone
should know better.

But they don't.

Cheers,
.r.f.p.

Next message: Brock Tellier: "SuSE 6.2 sccw overflow exploit"
Previous message: Steve Mynott: "LD_PROFILE local root exploit for solaris 2.6"
Maybe in reply to: rfpat_private: "Update to ODBC/RDS vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:04:58 PDT