Win 2K3 server and XP vulnerabilities
Results 1 to 9 of 9

Thread: Win 2K3 server and XP vulnerabilities

  1. #1
    Senior Member
    Join Date
    May 2003
    Posts
    472

    Win 2K3 server and XP vulnerabilities

    well i got a mail from someone Trancer, showing 2 holes on one mailing lists and i would love to share it with antionline memebers.

    he starts :
    Hello, im Moshe BA from israel a.k.a Trancer and I would like to report 4-5 security bugs\vulnerabilities witch i found.
    next:

    The first one is two Windows Server 2003 security vulnerabilities Windows 2003 Server has a built in Command Line Interreptor (I don't
    know if this service is enabled by defult but i've tested this on 9
    systems,
    in 7 of them it worked), which means that you can send commands to it using
    the HTTP (TCP)
    method (the web browser) by trying to access the server on port 19338
    like this:

    http://admin@<ip>:19338/cmd.cgi?cmd=<EnterCommandHere>

    That will cause the server to run the command from the $ROOT$ drive.
    Which may be either C/D/E or any other drive defined by the owner / admin
    of the machine.
    Note that no username or password are requierd.
    2. Windows 2003 Server has a built in Telnet service (disabled by defult)
    that listens to open connections on port 3382.
    An attacker can exploit the first vulnerability (#1 above) and write this
    commands there -

    "sc config TlntSvr start= auto"
    and them:
    "net start TlntSvr"

    then the attacker has FULL access to the system.
    Only a password is requierd, and becouse i've just enabled this service,
    the password is also set to defult -
    Password: tlntadmn

    Note that if this sevice is already enabled, the password wil be wrong
    (only if the system admin changed it)
    If that service is already enabled with aa other password, the attacker can
    open a sharing service or any other service that can give him easy
    access tot he system.
    The third one is Windows NT (2000\XP\2003) ICMPv6 Flooding
    This little Denial of Service attack works jst like ICMP flood but it uses
    Ping6 tool (in IPv6 enabled Windows OS or an IPv6 enabled *nix OS)
    This attack is also good becouse Microsoft's Internet Connection Firewall
    is unable to block IPv6 traffic.
    This is maybe a slow attack but effective, it is also depends on the
    attacker and victim's bandwidth.
    An exploit for this can be easly made, and i am working on one.
    i dint tested any of these becoz of unavailability of WIn 2K3 server. I suppose someone can do it for AO memebers.
    guru@linux:~> who I grep -i blonde I talk; cd ~; wine; talk; touch; unzip; touch; strip; gasp; finger; mount; fsck; more; yes; gasp; umount; make clean; sleep;

  2. #2
    AO Veteran NeuTron's Avatar
    Join Date
    Apr 2003
    Posts
    550
    Excellent Info! I'd love to test it myself.

  3. #3
    Antionline Herpetologist
    Join Date
    Aug 2001
    Posts
    1,165
    The first one is two Windows Server 2003 security vulnerabilities Windows 2003 Server has a built in Command Line Interreptor (I don't
    know if this service is enabled by defult but i've tested this on 9
    systems,
    in 7 of them it worked), which means that you can send commands to it using
    the HTTP (TCP)
    method (the web browser) by trying to access the server on port 19338
    like this:

    http://admin@<ip>:19338/cmd.cgi?cmd=<EnterCommandHere>

    That will cause the server to run the command from the $ROOT$ drive.
    Which may be either C/D/E or any other drive defined by the owner / admin
    of the machine.
    Note that no username or password are requierd.
    There goes my intention to try windows 2003 out. I'm not defiling my comp with it until it gets to sp1 or sp2.
    Cheers,
    cgkanchi
    Buy the Snakes of India book, support research and education (sorry the website has been discontinued)
    My blog: http://biology000.blogspot.com

  4. #4

  5. #5
    Senior Member br_fusion's Avatar
    Join Date
    Apr 2002
    Posts
    167
    This is sort of like that exploit for windows xp, the "hxf:.... " one. Lets hope it gets patched up quick.

    Now I'm going to have to tell my friend that windows2003 is not as perfect as he once thought.

  6. #6
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    **Removed Warl0ck7's post** It is not recommended to post IP Addresses to be "audited". Auditing should be done by those you can verify creditials on both the auditor and source side.

    If you have questions, PM me.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  7. #7
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Well. I looked at this and I cannot confirm any of it. I also found the same post on vuln-dev and ppl there cannot confirm it either.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  8. #8
    Senior Member
    Join Date
    Jun 2003
    Posts
    188
    Excellent,Tested All positive
    Secondly a tool named Hgod.exe was very well able to do an effective ICMP DoS on both XP and 2003 server. Also netbios exploit tools such as SMBRELAY and NBNAME work sucessfully on the Windows 2003 Server.

  9. #9
    Senior Member
    Join Date
    May 2003
    Posts
    472
    warlock can post the details about the 1st and 2nd hole's test as SirDice write most of the peep on mailing list were not able to confirm it...SirDice failed to test himself and even i wanst able to test it...escpecially the first one...becoz it can be exploited remotely....

    if it would have been tested positive i think the M$ would have issued a fix till now....and if M$ is ignorant abt it (i dont beileve it to be so).... then it could be possible to give an advisory.
    guru@linux:~> who I grep -i blonde I talk; cd ~; wine; talk; touch; unzip; touch; strip; gasp; finger; mount; fsck; more; yes; gasp; umount; make clean; sleep;

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •