Saiweb

laurent gaffie has produced a proof of concept remote BSOD affecting windows vista /7.

It is advised at this time to block all NETBIOS and SMB trafic on your network as there is currently no patch available.

Read the entry here: http://seclists.org/fulldisclosure/2009/Sep/0039.html

At the time of writing this entry I tested this on a Windows Vista VM (fully patched).

MS – Security Advisory

Some users apparently do not know how to clear their Internet Explorer cache, so I have taken two minutes to do a screen cast here: http://screencast.com/t/FGDnc2gjcft

As per my previous post I was faced with a serious BSOD problem.

Now this is corrected and so you do not face the same problem here are my findings

• VMWare identifies the ISO file as Vista
• 
• The ‘optional’ admin password doesn’t seem to be optional! Enter this to avoid BSOD later.
• 
• On file sharing I chose NONE
• 
• Customize your settings!
• NOTE: Set the hard disk type to IDE and NOT SCSI
• 
  
• Enjoy
• 

So I decided to take Windows 7 for a spin in VMWare fusion, downloaded the shiny new 3.15GB x64 ISO and away I went …

Only in typical windows style to have a flashing blue screen restart, in that you can see it B.S.O.D’ed (blue screen of death) but the system restarted so quickly it error message was utterly pointless and you’d need a high speed camera to see it …

UPDATE: Very obscure, but it has to do with the fact VMWare identifies the install as Vista x64, when it says the administrator password is optional DO NOT leave it blank, infact in this case it is not optional, setting a password allows the OS to install correctly it seems, I now have it running perfectly, you will also need to change the hard drive BUS emulation from SCSI to IDE.

For those not in the know Folding@Home is a piece of software that runs in the background of your desktop, server, heck even your PS3.

I originaly started out back in 99/2000 with the united devices cancer research client, their website of UD.com however seems to have long since slipped into web history, no doubt due to their nature of charging for CPU time on ‘thier’ grid, which was made of donor machines … Folding @ Home however is Open Source and not run by some shady business but by a variety of labs and Educational bodies (http://folding.stanford.edu/English/About).

Ok so what is this ‘folding’ all about?

When protein chains combine in your body to form more complex chains, and eventualy cells the process of combination is called folding, and problems during the ‘folding’ stage can lead to Cancer, Alzheimers, Parkinson’s disease etc …

The problem faced when looking at protein folding is the shear number of possible ‘folds’ for each different type of protein, of course this is where computer power comes in, but even that has it’s limits this is where distributed computing helps.

Rather than a large super computer which is limited in budget, size and power distributed computing takes place by assigning a small work load to a ‘volunteer machine’, what this has lead to is a virtual super computer larger than any other, driven by software, and at the time of writing claims some 260,000 Active CPU’s

So please install this small piece of software on your machine by visiting the downloads page here: http://folding.stanford.edu/English/Download

Once you have the client running please join the Saiweb team 156680

Cheers

Buzz

NOTE:

I will be dedicated several machines to this, they will appear in the team members list prefixed buzz_ , one core from our Dedi server has also been dedicated to running F@H.

This is something I find myself having to do, more and more lately due to this VoIP roll out.

From windows (xp)

Start > run > cmd

Once the command window is open ping the IP address of the device (this forces your system to do an ARP request and store the device information in the cache, don’t ask me why but microsoft decided it was a good idea not to lookup the information if it isn’t allready in the cache!)

NOTE: Even if the device blocks ICMP, this should still work, run ettercap on your windows network to see just how many times you will see an ARP request along the lines of “WHO HAS xxx.xxx.xxx.xxx”.

Now to get the MAC address type

Where xxx.xxx.xxx.xxx is the IP address of the device you just pinged.

Please note this only works for a device on the same IP range.

If you run two ranges, i.e.

192.168.1.XXX

and

192.168.2.XXX

You will need to make the ARP request from a device bound to that range (servers are especially usefull here).

So you have domain admin rights, but that server just wont play with remote desktop … you suspect a hung process what do you do?

Have someone log into the console (if they can) ?

Or surely there is another way …

Windows XP (Surprisingly) has a command line tool set for just such an event, in this case the two commands. (Via command line Start > Run CMD)

“TASKLIST”

and

“TASKKILL”

Just run off the list of processes using TASKLIST and kill the “offending” process with TASKKILL, if you can not figure out how to do that by reading the documentation via the links above, then I really do not recommend you use this method.

This one comes via Kerm.

We have an Exchange 2003 and Exchange 2007 server working side by side, with the 2003 server on the PDC (Primary Domain Controller).

Due to this when creating a new AD account from the PDC, even if you set the mailbox as being on the 2007 server, the mailbox will still show as “Legacy Mailbox”, to correct this you will need to launch the Exchange management shell and run the following command line:

set-mailbox -identity “mbox_alias” -ApplyMandatoryProperties

et voila job done.

Outlook is one of those programs we all love to hate at some point in time, particularly when it does something completely random like say _lose_ that selection of emails you were trying to move to another folder, if you can find these emails i.e. one was flagged and showing up under “flagged for follow up”, the “in folder” field displays IPM_SUBTREE.

Let’s start with some _conceptual_ background (In that this is how I logically see this working due to the errors that have occurred).

Your exchange mailbox is effectively a database, however in the more traditional sense of a “Containers” model.

i.e.

Grandparent > Parent > Child is a standard logical representation of programmatic relationships, in this case however it is more relevant to think of the structure as if it were a file system, with folders (containers).

i.e.

C:\Grand_Parent\Parent\Child

Ok so that’s the “container” concept out of the way, now for the moving procedure, from what I can tell all mail is stored within the IPM_SUBTREE, this essentially is the CHILD object which contains a subset of further folders, inbox etc … (Grandchildren)

When copying / moving email to a folder in outlook (Grandchild object), the email is first copied / moved to the IPM_SUBTREE (Child) folder, if an error occurs for any reason however that is where it stays!

The IPM_SUBTREE and higher up folders / containers are not visible in outlook, so to the end user these emails are lost.

To the sys admin however you now know they are simply “misplaced”, to recover these you need a program that can see the IPM_SUBTREE, this is available from http://support.microsoft.com/?kbid=887724 “MFCMAPI_BIN.exe”

You will need to run this from the computer that is having problems, the user will also most likely need local administrative rights on that machine, alternatively as a Domain Administrator, set yourself with full rights to the problem mail box, and create a new outlook profile.

After downloading the .exe you will be prompted to extract the program, i.e. to C:\MFCMAPI, now run it:

C:\MFCMAPI\MFCMapi.exe

Once started Click Session > “Logon and Display Store Tables”

You will them be prompted for a profile to use (Default: Outlook)

The top line in the Display Name field should read: “MailBox – Username”, click to select this line and right click to bring up the context menu, now click “Open Store”

You will be presented with a new window, on the left there will be a tree navigation displaying “Root – Mailbox”, expand this list and click on IPM_SUBTREE, right click and select “Open Contents Table”, again you will get a new window, ideally with nothing listed, if items are listed, select them and right click copy messages.

Now close the window, right click the destination folder i.e. inbox, and “Open Contents Table”, in the new window right click anywhere in the list and select “Paste Messages”, you may also be prompted to choose whether to move or copy the messages.

Follow the prompts and once complete the messages will be in the destination folder.

Any problems leave a comment.

The wirehub.net domain has not been renewed meaning the registra has taken over the DNS and it is now pointed at a “placeholder” page running adverts … meaning for anyone who was using the wirehub RBL, the lookups are now returning false positives and blocking everything. This is the 2nd open RBL to go down, with ORDB going offline previously

Follow the post I put here to get the Wirehub list removed on exchange 2003