From: Curt Wilson (netw3_security@hushmail.com)
Date: Thu Dec 05 2002 - 17:53:49 EST
Local Policies...Security Options...Network Access: Named pipes that can
be accessed anonymously
COMNAP,COMNODE,SQL\QUERY,SPOOLSS,LLSRPC,EPMAPPER,LOCATOR,TrkWks,TrkSvr
Remotely accessible registry paths:
System\CurrentControlSet\Control\ProductOptions,System\CurrentControlSet\C
ontrol\Print\Printers,System\CurrentControlSet\Control\Server
Applications,System\CurrentControlSet\Services\Eventlog,Software\Microsoft
\OLAP Server,Software\Microsoft\Windows
NT\CurrentVersion,System\CurrentControlSet\Control\ContentIndex,System\Cur
rentControlSet\Control\Terminal
Server,System\CurrentControlSet\Control\Terminal
Server\UserConfig,System\CurrentControlSet\Control\Terminal
Server\DefaultUserConfiguration
(I'm assuming that these reg paths are useless to a remote attacker,
unless the remote registry service is enabled and the attacker/pen tester
has access. I always turn off remote registry so I've not explored these
options)
Shares that can be accessed anonymously
COMCFG,DFS$
Has anyone successfully leveraged the existence of any of these elements,
and do you have any information from practical experience that you would
be willing to share? It strikes me that there could be some interesting
content here if we could spend some time fuzzing and exploring.
Thanks
Curt Wilson
Netw3 Security Research
www.netw3.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:26 EDT