Heh....Litchfield writes some really cool stuff.
Scary, but very cool.
:o)
Rick Kingslan MCSE, MCSA, MCT
Microsoft MVP - Active
Directory
Associate Expert
Expert Zone -
www.microsoft.com/windowsxp/expertzone
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe
Sent: Thursday, September 11, 2003 5:54 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] New RPC DOS
Heh.
10 minutes after I post this I see in the millions of posts on full
disclosure...
For those interested, NGSS has just published a paper describing how to defeat the mechanism built into Windows 2003 Server to prevent exploitation of stack based buffer overflow vulnerabilities. Previous work done in this area presented methods that only worked in highly specific scenarios - the new methods presented in this paper are generic. The paper can be downloaded from
http://www.nextgenss.com/papers/defeating-w2k3-stack-protection.pdf . Cheers, David Litchfield NGSSoftware Ltd http://www.nextgenss.com/+44(0)208 401 0070
-----Original Message-----
From: Joe [mailto:[EMAIL PROTECTED]
Sent: Thursday, September 11, 2003 6:39 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] New RPC DOSActually there should be software pouring over the source code looking for holes and highlighting anything that doesn't seem to be bounded. Then people can dig in and look at it.What kind of makes me wonder was previous talks of how W2K3 had overflow protection built-in and we are still patching for these overflows...I have been expecting we would see more published vulns around the DCOM stuff. That is how it works out, someone finds one and then people look harder at that focused area because if one coder screwed up in that one spot, there is a good chance the same coder screwed up around it. Again though I wish there would have been a heads up that such a critical patch was going to be released so it wasn't dropped in the lab on Wednesday and everyone scrambling the rest of the day to get fixes in place.-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Thursday, September 11, 2003 12:22 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] New RPC DOSTodd,>> Anyone have a clue as to how Microsoft plans to fix the RPC system to make it more secure?Concentrate maybe one or two more people on looking at error checking on the input into the arrays/buffers in the RPC code? ;opI mean, really - a vuln lays around waiting for someone to find it for years, and in this short of a time 3 more vuls are found in roughly the same area, just different vectors? I sure hope that there is a team pouring over the code that makes up RPC.Rick Kingslan MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT)
Sent: Wednesday, September 10, 2003 2:15 PM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] New RPC DOSOur Microsoft TAM notified us of this new issue. I waited to give them time to publish it to the various news sites.At 9AM PST, PSS will be announcing a new critical security bulletin (MS03-039). This bulletin will address an RPC denial-of-service vulnerability in Windows products. Please take the time today to go to the www.microsoft.com/security site to obtain the patch and directions for implementation. Just trying to help you stay one step ahead!I think it is very important to get this update on all your DC's even if they are behind a firewall ASAP. We managed to mitigate blaster but these RPC DOS are starting to get really nasty.Anyone have a clue as to how Microsoft plans to fix the RPC system to make it more secure?Thanks,Todd Myrick
