Re: NULL sessions on Windows 2000 systems [Was: Re: [Full-disclosure] Re:It's not that simple...]

Thu, 18 Aug 2005 06:58:51 -0700

You imply with 'hard-coded' that removing them from the registry does not help. This is new to me? Can you plz. elaborate? ----- Original Message ----- From: "Jean-Baptiste Marchand" <[EMAIL PROTECTED]> 
To: <[email protected]>
Sent: Thursday, August 18, 2005 9:58 AM
Subject: NULL sessions on Windows 2000 systems [Was: Re: [Full-disclosure] Re:It's not that simple...] 



* yossarian <[EMAIL PROTECTED]>:


In the original X-Force paper named pipes were mentioned besides Null

Sessions. Does it need both or either one - the paper isn't clear on 
this?
The named pipes seem to have dropped from all discussion.... Anyway, 
never
broke anything by disabling them, either. This is a registry hack 
described

in the MS Hardening guides for 2000 and 2003 server. Just like Null
sessions. Elsewhere dunno, but probably, never bothered.


A NULL session usually refers to an anonymous connection to the IPC$
share, giving remote access to named pipes.

Some named pipes can be opened anonymously (these named pipes appear in
the NullSessionPipes registry value), i.e. in the context of a NULL
session.

In addition, 6 named pipes are harcoded in Windows 2000 and can always
be opened anonymously:

http://www.hsc.fr/ressources/presentations/null_sessions/img7.html

The recent PnP vulnerability (MS05-039) can be anonymously exploited on
Windows 2000 systems with 139/tcp or 445/tcp open, *except* if the
RestrictAnonymous registry value is set to 2.

This is because the only way to disable NULL sessions *entirely* on
Windows 2000 is to set RestrictAnonymous to 2:

http://www.hsc.fr/ressources/presentations/null_sessions/img23.html

Please read my recent presentation about NULL sessions, many people seem
to know about NULL sessions but fewer people really understand the
technical details:

http://www.hsc.fr/ressources/presentations/null_sessions/


--
Jean-Baptiste Marchand
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html

Hosted and sponsored by Secunia - http://secunia.com/ 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/














    











					Reply via email to