Vulnerability Management

Amsterdam Win2008 Servers: PWNed by the Jarhead Clan

Share

The defeat of Prop 19 has absolutely nothing to do with the recent discovery of the Dutch language Windows Server vulnerability. Really!

Having a former military background comes in handy from time to time. Since I run around with former military types, often for beers and bratwurst or similar time-killing events, tidbits of useful information flows readily from this tight social network equally composed of techies and operators.

In this instance David Dodd, supersmart member of the Jarhead Clan (former active duty Marine Corps veteran) recently pinged me about a zero-day which might be important for some – particularly those in Dutch speaking countries. 

I tried this with the Netherland version of Microsoft 2008 R2 and had no luck getting the OS to Blue Screen.  So I decided to try other similar exploits, such as Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference, and I got lucky.

This module exploits an out-of-bounds function table reference in the SMB request validation code of the SRV2.SYS driver" [read more]

Unrelated to Prop 19? You Decide

Two days ago, California's Proposition 19 was defeated by just over 600,000 votes. Had this measure passed, California would have legalized marijuana effectively mirroring public policy in Amsterdam, The Netherlands.

Political irony played out in the percentages of the top three pot-producing California counties which voted AGAINST the legalizing measure, effectively ensuring the status quo windfall in illegal pot revenue. The proposition lost in Humboldt, Trinity and Mendocino counties in northern California, known to be the center of the state's pot production.

Legalization would be competition to the black market,” Steve Downing, a former deputy chief in the Los Angeles Police Department, said on a conference call today.

Amsterdam: pwned?

Aruba, Belgium, Curacao, St. Maarten, Suriname and Netherlands Antilles all may want to check out this vulnerability in the Netherlands language version of Windows Server 2008.

“It is interesting that this attack is successful on post-patched (NL) servers,” added Dodd, who is also founder of pbnetworks, “and gives you access instead of just DOSing the server with a Blue Screen.”

His company carries out cyber threat analysis throughout the world with advanced technical analyses and operational security analyses of computer, telephone, communications, and telecommunications systems and conducts penetration testing for mission critical IT assets.

For details of the vulnerability, check out the YouTube video or head straight to pbnetworks for updated information as it becomes available.

Dodd, who this past September was asked to be a panelist discussing intrusion detection and prevention, added that his initial inspiration came from a vulnerability listed on metasploit which he was testing.

He insists that neither the Republicans taking back the House nor the Proposition 19 results had anything to do with his late night tests on the Netherlands language OS.

This is not technically a zero-day because the exploit was released a long time ago, adds Dodd. “This version of Windows is vulnerable to a flaw that should have been fixed with the deployment of R2.  Also since it only works for me 70 percent of the time now, it tends to lessen the excitement of this flaw. But I thought it would be interesting to let everyone know.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.