1 / 7

ms 08-067

Executive Summary. This security update resolves a privately reported vulnerability in the Server service. The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit. Firewall best practice288

libitha
Download Presentation

ms 08-067

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. MS 08-067 Miles Strombach 11/06/2008

    3. What does that mean? RPC – Remote Procedure Call Bug in RPC server Special RPC request could allow code exec Server service runs with Admin privileges Vista and Server 2008 not vulnerable Firewalls can block

    4. Details Carried over CIFS or NetBIOS Most firewalls drop those packets XP and 2003 always allow anonymous access to “browser” named pipe

    5. How it works In function to canonicalize path names _tcscpy_s(previousLastSlash, pBufferEnd - previousLastSlash, ptr + 2); Expands to macro Certain paths can cause previousLastSlash to get clobbered

    6. Why Vista/2k8 are ‘safe’ Address space layout randomization NX bit /GS Visual Studio switch buffer check Doesn’t work! Service restart policy Authentication (if you left UAC on)

    7. Sources http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx http://blogs.technet.com/swi/archive/2008/10/25/most-common-questions-that-we-ve-been-asked-regarding-ms08-067.aspx http://blogs.msdn.com/sdl/archive/2008/10/22/ms08-067.aspx http://www.developer.com/security/article.php/11580_3417861_2

More Related