This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------ =_NextPart_001_01BF0FC4.D7D3AB60 Content-Type: text/plain Even though .rain.forest.puppy has cancelled RFP9903 I think it's worth making a couple of comments... >>1) Find a machine with 139 listening > >This is typically an issue when attacking remotely through the Internet. >However, this seems to dissolve when you have internal access (inside >job). Check out the numbers for the 1999 CSI-FBI incident survey, >regarding internal security problems at www.gocsi.com/summary.htm I have to agree with .rain.forest.puppy here. I need to secure my network against LAN users just as much as outside users. Just look at the number of exploits that appear on bugtraq that require local accounts. These types of problems are still very real. >>2) Get a user account (anonymous won't do) Again a user account is not necessarily a problem if you're in the LAN, but don't NT servers only allow administrators to read the registry by default ???? Mine are certainly setup this way. >>3) See if that particular machine allows rights to AeDebug (most don't) > >Accept, amazingly, mine (of course). and mine... EVERY single NT server I have here had the permission's described by .rain.forest.puppy. (including Winframe server .. even more scary). While I can't argue what the default permission's are (I don't have a pristine machine around) I can say that one of these servers was completely rebuilt last week. The only additional software installed was Insight Manager Agent, Arcserve Agent, Compaq SSD and SP3 (I know its old..). I noticed that Compaq machines use their own debugger, maybe this is what's screwed my permission's ? >>4) Put a binary on the system > >If you can run programs, you can (attempt) to use ftp or rcp to pull files >in. I realize this is dependant on outgoing firewall rules, access to the >commands, etc. But it's not impossible--these methods have been used by >many people contacting me on the RDS issue. UNC paths work here. If you can setup your own share with guest access I believe you can run whatever you like from it. >> 5) Make something crash that has higher access rights than you do Well here's the real problem. ..I guess you'd just have to hang around and wait... Regards, Mark. ------ =_NextPart_001_01BF0FC4.D7D3AB60 Content-Type: text/html Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3DUS-ASCII"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.0.1460.9"> <TITLE>RE:RFP9903: AeDubug vulnerabilty</TITLE> </HEAD> <BODY> <P><FONT COLOR=3D"#000000" SIZE=3D2 FACE=3D"Arial">Even though = .rain.forest.puppy has cancelled RFP9903 I think it's worth making a = couple of comments...</FONT> </P> <BR> <P><FONT COLOR=3D"#000000" SIZE=3D2 FACE=3D"Arial">>>1) Find a = machine with 139 listening</FONT> <BR><FONT COLOR=3D"#000000" SIZE=3D2 FACE=3D"Arial">></FONT> <BR><FONT COLOR=3D"#000000" SIZE=3D2 FACE=3D"Arial">>This is = typically an issue when attacking remotely through the Internet.</FONT> <BR><FONT COLOR=3D"#000000" SIZE=3D2 FACE=3D"Arial">>However, this = seems to dissolve when you have internal access (inside</FONT> <BR><FONT COLOR=3D"#000000" SIZE=3D2 FACE=3D"Arial">>job). = Check out the numbers for the 1999 CSI-FBI incident survey,</FONT> <BR><FONT COLOR=3D"#000000" SIZE=3D2 FACE=3D"Arial">>regarding = internal security problems at www.gocsi.com/summary.htm</FONT> </P> <P><FONT COLOR=3D"#000000" SIZE=3D2 FACE=3D"Arial">I have to agree with = .rain.forest.puppy here. I need to secure my network against LAN users = just as much as outside users. Just look at the number of exploits that = appear on bugtraq that require local accounts. These types of problems = are still very real.</FONT></P> <BR> <P><FONT COLOR=3D"#000000" SIZE=3D2 FACE=3D"Arial">>>2) Get a = user account (anonymous won't do)</FONT> </P> <P><FONT COLOR=3D"#000000" SIZE=3D2 FACE=3D"Arial">Again a user account = is not necessarily a problem if you're in the LAN, but don't NT servers = only allow administrators to read the registry by default ???? Mine are = certainly setup this way.</FONT></P> <BR> <P><FONT COLOR=3D"#000000" SIZE=3D2 FACE=3D"Arial">>>3) See if = that particular machine allows rights to AeDebug (most don't)</FONT> <BR><FONT COLOR=3D"#000000" SIZE=3D2 FACE=3D"Arial">></FONT> <BR><FONT COLOR=3D"#000000" SIZE=3D2 FACE=3D"Arial">>Accept, = amazingly, mine (of course).</FONT> </P> <P><FONT COLOR=3D"#000000" SIZE=3D2 FACE=3D"Arial">and = mine... EVERY single NT server I have here had the = permission's described by .rain.forest.puppy. (including Winframe = server .. even more scary).</FONT></P> <P><FONT COLOR=3D"#000000" SIZE=3D2 FACE=3D"Arial"> While I can't = argue what the default permission's are (I don't have a pristine = machine around) I can say that one of these servers was completely = rebuilt last week. The only additional software installed was = Insight Manager Agent, Arcserve Agent, Compaq SSD and SP3 (I know = its old..). I noticed that Compaq machines use their own debugger, = maybe this is what's screwed my permission's ?</FONT></P> <BR> <P><FONT COLOR=3D"#000000" SIZE=3D2 FACE=3D"Arial">>>4) Put a = binary on the system</FONT> <BR><FONT COLOR=3D"#000000" SIZE=3D2 FACE=3D"Arial">></FONT> <BR><FONT COLOR=3D"#000000" SIZE=3D2 FACE=3D"Arial">>If you can run = programs, you can (attempt) to use ftp or rcp to pull files</FONT> <BR><FONT COLOR=3D"#000000" SIZE=3D2 FACE=3D"Arial">>in. I = realize this is dependant on outgoing firewall rules, access to = the</FONT> <BR><FONT COLOR=3D"#000000" SIZE=3D2 FACE=3D"Arial">>commands, = etc. But it's not impossible--these methods have been used = by</FONT> <BR><FONT COLOR=3D"#000000" SIZE=3D2 FACE=3D"Arial">>many people = contacting me on the RDS issue.</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">UNC paths work here. If you can setup = your own share with guest access I believe you can run whatever you = like from it.</FONT> </P> <P><FONT COLOR=3D"#000000" SIZE=3D2 FACE=3D"Arial">>> 5) Make = something crash that has higher access rights than you do</FONT> </P> <P><FONT COLOR=3D"#000000" SIZE=3D2 FACE=3D"Arial">Well here's the real = problem. ..I guess you'd just have to hang around and wait...</FONT> </P> <BR> <P> <FONT COLOR=3D"#000000" = SIZE=3D2 FACE=3D"Arial">Regards,</FONT> </P> <P> &n= bsp; <FONT COLOR=3D"#000000" SIZE=3D2 = FACE=3D"Arial">Mark.</FONT> </P> </BODY> </HTML> ------ =_NextPart_001_01BF0FC4.D7D3AB60--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:06:53 PDT