SMB Bug - erste Proof of Concepts |
|
---|---|
04.09.2002, 08:06
Ehrenmitglied
Beiträge: 2283 |
|
|
|
06.09.2002, 08:17
Ehrenmitglied
Themenstarter Beiträge: 2283 |
#2
Nachdem nun die ersten Tools raus sind, konnte auch getestet werden:
Hier die Ergebnisse: server1 Windows 2000 Server Hardend Did not work server2 Windows 2000 Server Hardend Did not work app server 1 Windows 2000 Server Hardend Did not work Workstation 1 Windows 2000 Professional Partially Hardened (only restrict anonymous) Did not work Workstation 2 Windows 2000 Professional No Hardening WORKED...blue screen, shutdown, checkdisk Workstation 3 Windows XP Hardend WORKED...blue screen and a shutdown .net server Windows .NET No Hardening WORKED...blue screen and a shutdown server 3 Windows 2000 Server No Hardening WORKED...blue screen and a shutdown Server 4 NT 4.0 TSE Hardened WORKED...blue screen and a shutdown Workstation 5 Windows XP Hardend WORKED...blue screen and a shutdown Workstation 6 NT 4.0 SP6a No Hardening WORKED...blue screen and a shutdown and a memory dump Workstation 7 NT 4.0 SP6a No Hardening but restrictanonmyous was enabled WORKED...blue screen and a shutdown tested by: dwreck@hushmail.com __________ powered by http://different-thinking.de - Netze, Protokolle, Sicherheit, ... Dieser Beitrag wurde am 06.09.2002 um 08:40 Uhr von Robert editiert.
|
|
|
06.09.2002, 08:25
Ehrenmitglied
Themenstarter Beiträge: 2283 |
#3
Es scheint so, als ob es bei Windows 2000 Clients und Server genügt, den Zugriff für "Anonymous" zu unterbinden. Dies geschieht über:
RestrictAnonymous Registry Value Use Registry Editor to view the following registry key, and then add the following value to this key, or modify it if the value already exists: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA Value: RestrictAnonymous Value Type: REG_DWORD Value Data: 0x2 (Hex) Restart the computer after any change to the RestrictAnonymous key in the registry. When the RestrictAnonymous registry value is set to 2, the access token built for non-authenticated users does not include the Everyone group, and because of this, the access token no longer has access to those resources which grant permissions to the Everyone group. This could cause undesired behavior because many Windows 2000 services, as well as third-party programs, rely on anonymous access capabilities to perform legitimate tasks. For example, when an administrator in a trusting domain wants to grant local access to a user in a trusted domain, there may be a need to enumerate the users in the trusted domain. Because the trusted domain cannot authenticate the administrator in the trusting domain, an anonymous enumeration may be used. The benefits of restricting the capabilities of anonymous users from a security perspective should be weighed against the corresponding requirements of services and programs that rely on anonymous access for complete functionality. The following tasks are restricted when the RestrictAnonymous registry value is set to 2 on a Windows 2000-based domain controller: Down-level member workstations or servers are not able to set up a netlogon secure channel. Down-level domain controllers in trusting domains are not be able to set up a netlogon secure channel. Microsoft Windows NT users are not able to change their passwords after they expire. Also, Macintosh users are not able to change their passwords at all. The Browser service is not able to retrieve domain lists or server lists from backup browsers, master browsers or domain master browsers that are running on computers with the RestrictAnonymous registry value set to 2. Because of this, any program that relies on the Browser service does not function properly. Because of these results, it is not recommended that you set the RestrictAnonymous registry value to 2 in mixed-mode environments that include down-level clients. Setting the RestrictAnonymous registry value to 2 should only be considered in Windows 2000 environments only, and after sufficient quality assurance tests have verified that appropriate service levels and program functionality is maintained. NOTE: Pre-defined "High Secure" security templates set the RestrictAnonymous registry value to 2, and because of this, caution should be used when using these templates. For additional information about the RestrictAnonymous registry value, click the article number below to view the article in the Microsoft Knowledge Base: Q178640 Could Not Find Domain Controller When Establishing a Trust RestrictAnonymous is set by changing the registry key to 0 or 1 for Windows NT 4.0 or to 0, 1, or 2 for Windows 2000. These numbers correspond to the following settings: 0 None. Rely on default permissions 1 Do not allow enumeration of SAM accounts and names 2 No access without explicit anonymous permissions http://support.microsoft.com/default.aspx?scid=kb;en-us;Q246261 Bei Windows NT Systemen kann diese Beobachtung nicht bestätigt werden! Robert __________ powered by http://different-thinking.de - Netze, Protokolle, Sicherheit, ... |
|
|
A denial of service vulnerability affects the Server Message Block (SMB) protocol used for sharing files, printers, and other resources on a Windows network. A maliciously crafted SMB request can remotely crash a target computer, or possibly execute arbitrary code. Windows NT, 2000, and XP are all vulnerable. Check out security bulletin MS02-045 for a details and a patch; alternatively, set your network's perimeter firewall to block TCP ports 445 and 139
Infos:
http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS02-045.asp
Da nun schon die ersten beiden Programme aufgetaucht sind, die diese Lücke nutzen, sollte der geneigte User über ein installieren des Patches nachdenken
Patches:
Microsoft Windows NT 4.0:
http://www.microsoft.com/downloads/Release.asp?ReleaseID=41493
Microsoft Windows NT 4.0 Terminal Server Edition:
http://www.microsoft.com/downloads/Release.asp?ReleaseID=41519
Microsoft Windows 2000:
http://www.microsoft.com/downloads/Release.asp?ReleaseID=41468
Microsoft Windows XP:
http://www.microsoft.com/downloads/Release.asp?ReleaseID=41524
Microsoft Windows XP 64 bit Edition:
http://www.microsoft.com/downloads/Release.asp?ReleaseID=41549
Robert
__________
powered by http://different-thinking.de - Netze, Protokolle, Sicherheit, ...