http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx We have located the vulnerable function and just recently wrote the CANVAS module for it but all our tests showed that the NetDDE vulnerability can not be exploited with a NULL session a.k.a with "Anonymous Logon" credentials. Here are some reasons why we think NetDDE rpc interface procedure calls can only be done after authentication (any local or domain user) 1- \pipe\nddeapi named pipe do not have the "Anonymous Logon" credentials 2- HKLM\SYSTEM\ControlSet001\Services\lanmanserver\parameters\NullSessionPipes do not list the nddeapi pipe in any of the current windows OS installs 3- \pipe\nddeapi is not hardcoded in the srv.sys driver (please check: http://www.hsc.fr/ressources/articles/win_net_srv/index.html.en#htoc33 ) Please feel free to correct us! We will be delighted to hear that this vuln is actually a pre-auth ;) The most puzzling question is why does Microsoft "upplays" this vulnerabilities severity rather than the usual downplaying efforts ? I remember a good friend reporting them a remote ring-0 vulnerability in terminal services which they silently fixed in SP3 and dont even bother to credit him because they simply believe only remote DOS can be achieved with a remote kernel overflow!! So does that mean MS changed its policy regarding vulnerability severity assesment or they have a ongoing love relation with NGS ? puzzles the mind ;) cheers, Sinan Eren Immunity Research
