Win 2K3 server and XP vulnerabilities

well i got a mail from someone Trancer, showing 2 holes on one mailing lists and i would love to share it with antionline memebers.

he starts :

Quote:

---

Hello, im Moshe BA from israel a.k.a Trancer and I would like to report 4-5 security bugs\vulnerabilities witch i found.

---

next:

Quote:

---

The first one is two Windows Server 2003 security vulnerabilities Windows 2003 Server has a built in Command Line Interreptor (I don't
know if this service is enabled by defult but i've tested this on 9
systems,
in 7 of them it worked), which means that you can send commands to it using
the HTTP (TCP)
method (the web browser) by trying to access the server on port 19338
like this:

http://admin@<ip>:19338/cmd.cgi?cmd=<EnterCommandHere>

That will cause the server to run the command from the $ROOT$ drive.
Which may be either C/D/E or any other drive defined by the owner / admin
of the machine.
Note that no username or password are requierd.

---

Quote:

---

2. Windows 2003 Server has a built in Telnet service (disabled by defult)
that listens to open connections on port 3382.
An attacker can exploit the first vulnerability (#1 above) and write this
commands there -

"sc config TlntSvr start= auto"
and them:
"net start TlntSvr"

then the attacker has FULL access to the system.
Only a password is requierd, and becouse i've just enabled this service,
the password is also set to defult -
Password: tlntadmn

Note that if this sevice is already enabled, the password wil be wrong
(only if the system admin changed it)
If that service is already enabled with aa other password, the attacker can
open a sharing service or any other service that can give him easy
access tot he system.

---

Quote:

---

The third one is Windows NT (2000\XP\2003) ICMPv6 Flooding
This little Denial of Service attack works jst like ICMP flood but it uses
Ping6 tool (in IPv6 enabled Windows OS or an IPv6 enabled *nix OS)
This attack is also good becouse Microsoft's Internet Connection Firewall
is unable to block IPv6 traffic.
This is maybe a slow attack but effective, it is also depends on the
attacker and victim's bandwidth.
An exploit for this can be easly made, and i am working on one.

---

i dint tested any of these becoz of unavailability of WIn 2K3 server. I suppose someone can do it for AO memebers.

Excellent Info! I'd love to test it myself.

Quote:

---

The first one is two Windows Server 2003 security vulnerabilities Windows 2003 Server has a built in Command Line Interreptor (I don't
know if this service is enabled by defult but i've tested this on 9
systems,
in 7 of them it worked), which means that you can send commands to it using
the HTTP (TCP)
method (the web browser) by trying to access the server on port 19338
like this:

http://admin@<ip>:19338/cmd.cgi?cmd=<EnterCommandHere>

That will cause the server to run the command from the $ROOT$ drive.
Which may be either C/D/E or any other drive defined by the owner / admin
of the machine.
Note that no username or password are requierd.

---

There goes my intention to try windows 2003 out. I'm not defiling my comp with it until it gets to sp1 or sp2.
Cheers,
cgkanchi

wawawa
excellent !!!

This is sort of like that exploit for windows xp, the "hxf:.... " one. Lets hope it gets patched up quick.

Now I'm going to have to tell my friend that windows2003 is not as perfect as he once thought.

**Removed Warl0ck7's post** It is not recommended to post IP Addresses to be "audited". Auditing should be done by those you can verify creditials on both the auditor and source side.

If you have questions, PM me.

Well. I looked at this and I cannot confirm any of it. I also found the same post on vuln-dev and ppl there cannot confirm it either.

Excellent,Tested All positive :D
Secondly a tool named Hgod.exe was very well able to do an effective ICMP DoS on both XP and 2003 server. Also netbios exploit tools such as SMBRELAY and NBNAME work sucessfully on the Windows 2003 Server.

warlock can post the details about the 1st and 2nd hole's test as SirDice write most of the peep on mailing list were not able to confirm it...SirDice failed to test himself and even i wanst able to test it...escpecially the first one...becoz it can be exploited remotely....

if it would have been tested positive i think the M$ would have issued a fix till now....and if M$ is ignorant abt it (i dont beileve it to be so).... then it could be possible to give an advisory.