[Dshield] MS05-039 exploits prove that pacthing "window" is getting shorter and shorter and...

Chris Wright dshield at yaps4u.net
Thu Aug 18 09:35:03 GMT 2005


 

> -----Original Message-----
> From: list-bounces at lists.dshield.org 
> [mailto:list-bounces at lists.dshield.org] On Behalf Of John B. Holmblad
> Sent: Thursday, August 18, 2005 3:46 AM
> To: General DShield Discussion List
> Subject: Re: [Dshield] MS05-039 exploits prove that pacthing 
> "window" is getting shorter and shorter and...
> 
> All,
> 
> this worm has given me reason to go back and examine the 
> distinction between the PnP service in Microsoft Windows and 
> its "evolutionary addition, uPnP, which is installed in 
> Windows XP.  I did a quick check and, not surpassingly, all 
> Windows OS's, XP, 2000 Pro, 2000 Server, 2003 Server, and 
> 2003 SBS have PnP installed as a service and enabled. Only 
> WXP has uPnP installed with manual start (at least on the XP 
> system that I checked).
> 
> 
> What I do not understand is why the PnP service is even 
> callable from a remote session whether it is an authenticated 
> or a null session. To my understanding, the PnP service is to 
> support installation of devices on the local machine, period 
> so why should it ever accept a network based session via SMB 
> in the first place. What am I missing here?
> 

Would that be for support for adding new devices on the network (such as
printers being the simplest I can think of).  
I think a lot of people think of PNP when they remember the difference
between ISA and PCI cards where on an ISA card it often involved setting
BIOS settings and jumpers on the card, where as PCI was merely plug it in in
and let it go. (Once you made sure your BIOS support PNP as well as the OS).
Without going back and reading through the PNP spec, I suspect that you can
also connect devices that exist on the network.  Those of you who can't
remember ISA cards are still wearing diapers/nappies ;)

But, the thought of a network "device" being able instantiate self
installation seems a bit iffy.

Regards

Chris



More information about the list mailing list