Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: MS06-077: Remote Installation Service (RIS) remote exploit - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
MS06-077: Remote Installation Service (RIS) remote exploit
This vulnerability only affects Windows 2000 Server, Service Pack 4 that has RIS installed that allow anonymous access to the system that serves the installation items. If there is anonymous access, a remote user could view, change, delete data or create accounts including having malware installed on systems installed by RIS. It is possible to exploit this vulnerability over the internet if the network permissions were set that poorly to allow anonymous access to everyone. A simple firewall would prevent this vector. The patch removes the vulnerability by not allowing anonymous TFTP users write access on the file structure.

This vulnerability has not been disclosed publicly and Microsoft reports no indication of active exploitation of this vulnerability.

Microsoft ranks this update as important, however the very specific OS version needed and other mitigating technologies make this an unimportant patch for all but a few users.

Bulletin: MS06-077

John Bambenek
bambenek /at/ gmail /dot/ com


262 Posts
ISC Handler
Dec 12th 2006

Sign Up for Free or Log In to start participating in the conversation!