Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Windows :: hack0676.htm

ms04-031 pre-auth ??
ms04-031 pre-auth ?? 

We have located the vulnerable function and just recently wrote the 
CANVAS module for it but all our tests showed that the NetDDE 
vulnerability can not be exploited with a NULL session a.k.a 
with "Anonymous Logon" credentials.

Here are some reasons why we think NetDDE rpc interface procedure calls 
can only be done after authentication (any local or domain user) 

1- \pipe\nddeapi named pipe do not have the "Anonymous Logon" credentials
2- HKLM\SYSTEM\ControlSet001\Services\lanmanserver\parameters\NullSessionPipes 
do not list the nddeapi pipe in any of the current windows OS installs 
3- \pipe\nddeapi is not hardcoded in the srv.sys driver (please check: )

Please feel free to correct us! We will be delighted to hear that this 
vuln is actually a pre-auth ;)

The most puzzling question is why does Microsoft "upplays" this 
vulnerabilities severity rather than the usual downplaying efforts ?
I remember a good friend reporting them a remote ring-0 vulnerability 
in terminal services which they silently fixed in SP3 and dont even bother 
to credit him because they simply believe only remote DOS can be achieved 
with a remote kernel overflow!! So does that mean MS changed its policy 
regarding vulnerability severity assesment or they have a ongoing love 
relation with NGS ? puzzles the mind ;)

Sinan Eren
Immunity Research

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH