Microsoft on Tuesday released seven patches, five classified as critical, for July’s Patch Tuesday event. The seven patches fix at least 10 vulnerabilities in consumer and enterprise software. Security bulletin MS06-035 addresses a critical vulnerability in Windows Server 2003, as well as Windows XP and Windows 2000. A security flaw in these programs could allow remote code execution. MS06-036, another critical bulletin, covers a hole in the DHCP Client Service of both servers, as well as in Windows XP and Windows 2000.
If MS06-035 is really a good candidate for a worm because there is no authentication, no user interaction needed and can exploited over UDP. It's another story for MS06-036. It would be interesting to hear the technical explanation from Sarawate to understand why he thinks it could be exploited by a worm. "An attacker could exploit the vulnerability by answering a client's DHCP request on the local subnet with a specially crafted DHCP response." Let's try to imagine i would like to create a worm based on this MS information assuming that I know how to exploit the flaw: 1- What would be the impact ? --> Local subnet, it doesn't look fun. 2- So the DHCP client makes a request to get a new IP address, i need to send the malformed answer --> The vulnerable client should have selected my "malicious" server first in order to recieve some answer from it. I could flood the network with DHCPOFFER... 3- Is there a way to force the dhcp clients to renew their ip so i could spread more quickly ? --> Clients are using lease that can be very long, so it's not good for a worm. The ultimate question behind this: are you trying to scare people or because of technical lack you published this mistake ?
Loading ...
Five of Seven Microsoft Patches Listed as ‘Critical’
Posted by: Jennifer LeClaire July 12, 2006 01:45 PMMicrosoft on Tuesday released seven patches, five classified as critical, for July’s Patch Tuesday event. The seven patches fix at least 10 vulnerabilities in consumer and enterprise software. Security bulletin MS06-035 addresses a critical vulnerability in Windows Server 2003, as well as Windows XP and Windows 2000. A security flaw in these programs could allow remote code execution. MS06-036, another critical bulletin, covers a hole in the DHCP Client Service of both servers, as well as in Windows XP and Windows 2000.
is no authentication, no user interaction needed and can
exploited over UDP. It's another story for MS06-036. It would
be interesting to hear the technical explanation from Sarawate
to understand why he thinks it could be exploited by a worm.
"An attacker could exploit the vulnerability by answering a
client's DHCP request on the local subnet with a specially
crafted DHCP response."
Let's try to imagine i would like to create a worm based on
this MS information assuming that I know how to exploit the
flaw:
1- What would be the impact ?
--> Local subnet, it doesn't look fun.
2- So the DHCP client makes a request to get a new IP address,
i need to send the malformed answer
--> The vulnerable client should have selected my "malicious"
server first in order to recieve some answer from it. I could
flood the network with DHCPOFFER...
3- Is there a way to force the dhcp clients to renew their ip
so i could spread more quickly ?
--> Clients are using lease that can be very long, so it's not
good for a worm.
The ultimate question behind this: are you trying to scare
people or because of technical lack you published this
mistake ?