70 likes | 424 Views
Executive Summary. This security update resolves a privately reported vulnerability in the Server service. The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit. Firewall best practice288
E N D
1. MS 08-067 Miles Strombach
11/06/2008
3. What does that mean? RPC – Remote Procedure Call
Bug in RPC server
Special RPC request could allow code exec
Server service runs with Admin privileges
Vista and Server 2008 not vulnerable
Firewalls can block
4. Details Carried over CIFS or NetBIOS
Most firewalls drop those packets
XP and 2003 always allow anonymous access to “browser” named pipe
5. How it works In function to canonicalize path names
_tcscpy_s(previousLastSlash, pBufferEnd - previousLastSlash, ptr + 2);
Expands to macro
Certain paths can cause previousLastSlash to get clobbered
6. Why Vista/2k8 are ‘safe’ Address space layout randomization
NX bit
/GS Visual Studio switch
buffer check
Doesn’t work!
Service restart policy
Authentication (if you left UAC on)
7. Sources http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
http://blogs.technet.com/swi/archive/2008/10/25/most-common-questions-that-we-ve-been-asked-regarding-ms08-067.aspx
http://blogs.msdn.com/sdl/archive/2008/10/22/ms08-067.aspx
http://www.developer.com/security/article.php/11580_3417861_2