Executive SummaryIn Microsoft Windows XP, Server 2003 and 2000 operating systems, an attacker can easilyexploit this particular vulnerability without any need for authentication by running anarbitrary code. Furthermore, this particular vulnerability can also use by a skilled attacker incrafting a ‘wormable’ exploit therefore it is prone to mass automated exploits. ‘Conficker’virus which has been proven to be one of the most deadly computer virus exploits thisparticular vulnerability CVE-2008-4250 has manage to infect about 370,000 machineswithout having been even detected more than 2 months 1]. Technical DescriptionVulnerability DescriptionWindows Operating system provides features that supports sharing of IT resources such asfiles, documents, printers, scanners among others. This particular service is prone to a remotecode execution type of attack that affects the Remote Procedure Call or RPC. This particularissue originates from stack-based buffer overflow which could be easily triggered via auniquely crafted RPC request towards a vulnerable computer. It specifically affects the“NetPathCanonicalize()” function in the 'netapi32.dll' file. An attacker could easily exploitthis particular issue with an arbitrary code that has system-defined privileges . Asuccessful exploitation would result into a complete compromise of the system beingaffected. As mentioned previously, the issue has the chances of being spread wildly. Thisvulnerability requires an authenticated access on Windows Vista and Server 2008 platformsto exploit this issue .Attack VectorsThe attacker begins by connecting to the target system and thereafter establishing an SMBconnection through DCERPC. This vulnerability is exposed as soon as an attacker sends in amalicious RPC packet which then triggers the arbitrary code execution by the target’s system.This particular vulnerability is delivered via two ports on TCP that utilize SMB connectionand they are port 445 and 139. SMB has the potential to allow for code execution on targethost. Netapi32.dll includes a vulnerable API in Windows called “NetPathCanonicalize()”.This API can process directory traversal character sequences in various path names thatallows for drafted RPC requests which are then sent to the service on the server .
Found this document preview useful?
You are reading a preview Upload your documents to download or Become a Desklib member to get accesss