To contact us Click HERE
An update on our analysis of MS09-001's patch provided in KB958687. The patch fixes a vulnerability in Microsoft's SMB handling code. An unauthenticated attacker can connect to a host on a local LAN over SMB or utilize DCERPC/SMB over the internet in order to access a vulnerable host.
We have spent the past day looking into what exactly was patched and have determined that the patch fixes 5 functions in srv.sys that can theoretically lead to remote execution of code (This has yet to be confirmed - nor debunked...).
The functions patched in srv.sys are:
SrvSmbWriteMpx()
SrvIpxServerDatagramHandlerCommon()
SrvSmbWriteRaw()
SrvSmbWriteAndX()
SrvSmbOpen()
Our group has already produced functioning code that can in part trigger these functions in the manner that is needed to trigger the (3) vulnerabilities discussed in the zeroday initiative's advisories. Trans/Trans2 here we come :D
The funny thing is, no-one else seems to have posted any information on this or is really getting close to exploiting this in the public domain. Whats the deal? Well - blacksec will have to keep ya' updated with the juicy details while the girls catch up eh?
-xort/bannedit-
Hiç yorum yok:
Yorum Gönder