Todd Sabin wrote: > > BindView Security Advisory > -------- > > Multiple Remote DoS vulnerabilities in Microsoft DCE/RPC deamons > Issue Date: July 30, 2001 > Contact: tsabin@razor.bindview.com > > Topic: > Many Microsoft DCE/RPC servers are vulnerable to remote DoS attacks > > Overview: > Many DCE/RPC servers don't do proper parameter validation, and can > be crashed by sending an improperly formatted request. > There is some probability this may be more than just a DoS if an attacker may execute programs on the server. My idea is to crash a process which owns a named pipe, create a named pipe with the same name and then wait or force some other service or user to write to the false pipe and then impersonate it, which may lead to elevation of privileges. Details on similar problem in which crashing LSASS.EXE leads to elevation of privileges is available at: http://www.guninski.com/dr07.html Have not verified whether in Bindview's case this idea shall work or not. Georgi Guninski http://www.guninski.com
