process id
unauthenticated attacker the ability to terminate any process.
The Probe Builder Service, PBOVISServer.exe, listens by default on TCP
port 32968. This process has a specific opcode that allows a remote
unauthenticated user to terminate any process on the system by
supplying a process ID number.
III. ANALYSIS
Exploitation allows an attacker to kill any process, including critical
system processes like services.exe, lsass.exe, csrss.exe. Killing a
program up time : 7 minutes 2 seconds
processors : 2x Intel(R) Core(TM)2 Duo CPU T6600 @ 2.20GHz
physical memory : 2243/4091 MB (free/total)
free disk space : (C:) 207,54 GB
display mode : 1366x768, 32 bit
process id : $16fc
allocated memory : 50,75 MB
executable : FlashFXP.exe
exec. date/time : 2012-01-15 22:45
executable hash : 34A53BD60479975EA6DAAB55B8D878B4
version : 4.1.8.1701
>>>>>> >>> You can kill smc.exe with the help of drwtsn32.exe in the
>>>>> following
>>>>>> way.
>>>>>> >>>
>>>>>> >>> drwtsn32 -p %pid%
>>>>>> >>> where pid is the process id for smc.exe
>>>>>
>>>>> There's nothing remarkable about this at all. If you tell Dr Watson to
>>>>> debug any process id, it's going to end the process. Or at least it
>>>>> did
>>>>> to half a dozen applications I tested it on :)
>>>>> >>> You can kill smc.exe with the help of drwtsn32.exe in the
>>>> following
>>>>> way.
>>>>> >>>
>>>>> >>> drwtsn32 -p %pid%
>>>>> >>> where pid is the process id for smc.exe
>>>>
>>>> There's nothing remarkable about this at all. If you tell Dr Watson to
>>>> debug any process id, it's going to end the process. Or at least it did
>>>> to half a dozen applications I tested it on :)
>>>>
>>>> >>> You can kill smc.exe with the help of drwtsn32.exe in the
>>> following
>>>> way.
>>>> >>>
>>>> >>> drwtsn32 -p %pid%
>>>> >>> where pid is the process id for smc.exe
>>>
>>> There's nothing remarkable about this at all. If you tell Dr Watson to
>>> debug any process id, it's going to end the process. Or at least it did
>>> to half a dozen applications I tested it on :)
>>>
read and write arbitrary files via a symlink attack on the (1)
xfig-eps[PID], (2) xfig-pic[PID].pix, (3) xfig-pic[PID].err,
(4) xfig-pcx[PID].pix, (5) xfig-xfigrc[PID], (6) xfig[PID], (7)
xfig-print[PID], (8) xfig-export[PID].err, (9) xfig-batch[PID], (10)
xfig-exp[PID], or (11) xfig-spell.[PID] temporary files, where [PID]
is a process ID (CVE-2009-1962).
This update provides a solution to this vulnerability.
Update:
>>>
>>>
>>> You can kill smc.exe with the help of drwtsn32.exe in the following way.
>>>
>>> drwtsn32 -p %pid%
>>> where pid is the process id for smc.exe
>>>
>>> POC:
>>>
>>> Save the following as a batch file and execute it
>>>
BrightStor's ARCserve Backup message queuing service, LQserver.exe.
BrightStor uses a protocol similar to a simplified version of RPC called
ONCRPC (Open Network Computing Remote Procedure Calls) and is described
in the following RFCs: 1831, 1833, and 1832. This vulnerability is only
achieved by calling operation 0x76 (Data Queue Request) under the
process id of 0x0006097d (LQserver.exe's unique Proc ID). After
initiating this procedure, LQServer.exe then calls the vulnerable DLL
file, Queue.dll. This procedure inadvertently processes user supplied
data and then references that data as variables without any form of
sanitation of verification. This is demonstrated below:
Description
===========
Kevin B. McCarty discovered that the feynmf.pl script creates a
temporary "properly list" file at the location "$TMPDIR/feynmf$PID.pl",
where $PID is the process ID.
Impact
======
A local attacker could create symbolic links in the directory where the
>>>>
>>>> You can kill smc.exe with the help of drwtsn32.exe in the following
>>>> way.
>>>>
>>>> drwtsn32 -p %pid%
>>>> where pid is the process id for smc.exe
>>>>
>>>> POC:
>>>>
>>>> Save the following as a batch file and execute it
>>>>
Driver holds a constant length array of successfully registered
applications and iterates through this array for every IRP packet
(except the registration IRP with IOCTL
IOCTL_SABKUTIL_REGISTER_PROCESS_WITH_DRIVER = 0x9c4028c). Array has
256 DWORD elements which is enough for 256 application registrations
(each DWORD is registered application's process ID).
Sending more than 256 registration request will successfully overflow
the array because no checks are made whether the current PID is
already present in the array or whether all array elements are already
used. Array overflow will cause the overwrite of certain critical
Description
===========
skkdic-expr.c insecurely writes temporary files to a location in the
form $TMPDIR/skkdic$PID.{pag,dir,db}, where $PID is the process ID.
Impact
======
A local attacker could create symbolic links in the directory where the
========================
Several ways to gather information exist in the JDENET service. Sending specific types of messages, it is possible to access technical information
about the system's configuration, such as:
* Kernel Process ID.
* Kernel processes.
* Kernel processes information.
* JDNET process information.
Further technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch
>>>
>>>
>>> You can kill smc.exe with the help of drwtsn32.exe in the following way.
>>>
>>> drwtsn32 -p %pid%
>>> where pid is the process id for smc.exe
>>>
>>> POC:
>>>
>>> Save the following as a batch file and execute it
>>>
>>
>>
>> You can kill smc.exe with the help of drwtsn32.exe in the following way.
>>
>> drwtsn32 -p %pid%
>> where pid is the process id for smc.exe
>>
>> POC:
>>
>> Save the following as a batch file and execute it
>>
(http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html).
- ------
flar appears to use several hard-coded temporary paths with the process
id appended such as these (possibly more--I didn't do an exhaustive search):
/tmp/.flash_filter_one_.11534
/tmp/.flash_filter_two_.11534
/tmp/.flarcreate.hash.11534
PHP uses the following macro on the first usage of rand() or
mt_rand() within a PHP process to seed the different random
number generators.
#ifdef PHP_WIN32
#define GENERATE_SEED() ((long) (time(0) * GetCurrentProcessId() \
* 1000000 * php_combined_lcg(TSRMLS_C)))
#else
#define GENERATE_SEED() ((long) (time(0) * getpid() * 1000000 \
* php_combined_lcg(TSRMLS_C)))
#endif
You can kill smc.exe with the help of drwtsn32.exe in the following way.
drwtsn32 -p %pid%
where pid is the process id for smc.exe
POC:
Save the following as a batch file and execute it
>
>
> You can kill smc.exe with the help of drwtsn32.exe in the following way.
>
> drwtsn32 -p %pid%
> where pid is the process id for smc.exe
>
> POC:
>
> Save the following as a batch file and execute it
>
read and write arbitrary files via a symlink attack on the (1)
xfig-eps[PID], (2) xfig-pic[PID].pix, (3) xfig-pic[PID].err,
(4) xfig-pcx[PID].pix, (5) xfig-xfigrc[PID], (6) xfig[PID], (7)
xfig-print[PID], (8) xfig-export[PID].err, (9) xfig-batch[PID], (10)
xfig-exp[PID], or (11) xfig-spell.[PID] temporary files, where [PID]
is a process ID (CVE-2009-1962).
This update provides a solution to this vulnerability.
_______________________________________________________________________
References:
- ---
Faulting application SearchIndexer.exe, version 7.0.6001.16503, time
stamp 0x483b99af, faulting module msvcrt.dll, version 7.0.6001.18000,
time stamp 0x4791a727, exception code 0x40000015, fault offset
0x00053adb, process id 0x364, application start time 0x01c99276bd383759.
- ---
In some cases, is possible to permanently lock the service.
Interesting behavior we can see an example
char buff[] =
"\x00\x00\x00\x90" // Begin SMB header: Session message
"\xff\x53\x4d\x42" // Server Component: SMB
"\x72\x00\x00\x00" // Negociate Protocol
"\x00\x18\x53\xc8" // Operation 0x18 & sub 0xc853
"\x00\x26" // Process ID High: --> :) normal value should be "\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"
"\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54"
"\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31"
"\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"
"\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57"
|
