<<< Date Index >>>     <<< Thread Index >>>

ms04-031 pre-auth ??



http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx

We have located the vulnerable function and just recently wrote the 
CANVAS module for it but all our tests showed that the NetDDE 
vulnerability can not be exploited with a NULL session a.k.a 
with "Anonymous Logon" credentials.

Here are some reasons why we think NetDDE rpc interface procedure calls 
can only be done after authentication (any local or domain user) 

1- \pipe\nddeapi named pipe do not have the "Anonymous Logon" credentials
2- HKLM\SYSTEM\ControlSet001\Services\lanmanserver\parameters\NullSessionPipes 
do not list the nddeapi pipe in any of the current windows OS installs 
3- \pipe\nddeapi is not hardcoded in the srv.sys driver (please check:
http://www.hsc.fr/ressources/articles/win_net_srv/index.html.en#htoc33 )

Please feel free to correct us! We will be delighted to hear that this 
vuln is actually a pre-auth ;)

The most puzzling question is why does Microsoft "upplays" this 
vulnerabilities severity rather than the usual downplaying efforts ?
I remember a good friend reporting them a remote ring-0 vulnerability 
in terminal services which they silently fixed in SP3 and dont even bother 
to credit him because they simply believe only remote DOS can be achieved 
with a remote kernel overflow!! So does that mean MS changed its policy 
regarding vulnerability severity assesment or they have a ongoing love 
relation with NGS ? puzzles the mind ;)

cheers,
Sinan Eren
Immunity Research