Recognize-Security

Trend Micro Internet Security Pro 2010 ActiveX extSetOwner() Remote Code Execution Exploit (meta)

Trancer — Tue, 28 Sep 2010 11:25:56 +0000

Here’s a Metasploit exploit module I wrote for the Trend Micro Internet Security Pro 2010 ActiveX extSetOwner() remote code execution vulnerability.

This vulnerability was originally discovered by Andrea Micalizzi aka rgod working with Zero Day Initiative. Abysssec Security Team published a binary analysis of this vulnerability as a part of MOAUB.

This module exploits a remote code execution vulnerability in Trend Micro Internet Security Pro 2010 UfProxyBrowserCtrl ActiveX control (UfPBCtrl.dll). The extSetOwner() function accepts a parameter and assumes it is an initialized pointer. When sending an invalid pointer to the extSetOwner() function of UfPBCtrl.dll an attacker may be able to execute arbitrary code.

Exploit successfully tested on the following platforms:
– Trend Micro Internet Security Pro 2010 on Internet Explorer 7, Windows XP SP3
– Trend Micro Internet Security Pro 2010 on Internet Explorer 7, Windows Vista SP2

Download trendmicro_extsetowner.rb.
Also on Metasploit and Exploit-Database #15168.

>> References:
CVE-2010-3189
OSVDB 67561
ZDI-10-165 – Andrea Micalizzi aka rgod via Zero Day Initiative
MOAUB #03 exploit
MOAUB #03 binary analysis

Stuxnet

Trancer — Mon, 27 Sep 2010 23:17:36 +0000

What can I say about the Stuxnet worm that hasn’t been said yet… It is one of the most media covered (read hyped) Malware\attack recently. The Stuxnet worm is by far the most sophisticated Malware ever seen.

Here are some of the highlights of the Stuxnet worm:

Discovered in June 2010 by VirusBlokAda, a Belarus based Anti-Virus vendor.
Targets Supervisory Control And Data Acquisition (SCADA) systems, specifically Siemens SIMATIC WinCC and PCS 7.
Programmable Logic Controllers (PLCs) reprogram capability.
Using three deferent vulnerabilities to spread itself, CVE-2010-2568 CPLINK vulnerability (MS10-046), CVE-2010-2729 Printer Spooler vulnerability (MS10-061) and CVE-2008-4250 Windows Server Service RPC Handling vulnerability (MS08-067) which was used by the Conficker worm. The first two were 0days.
Two more zero-day exploits which are still unpatched, both of them exploit privilege escalation vulnerabilities, one for Windows XP/2000 (via Keyboard layout file) and the second for Windows Vista/7 (via Task Scheduler).
Using a zero-day vulnerability in Siemens WinCC which abuses hard-coded credentials (uid=WinCCConnect;pwd=2WSXcder) and allows local users to access a back-end database and gain privileges (CVE-2010-2772)
Payloads are digitally signed by two stolen certificates of JMicron Technology Corporation and Realtek Semiconductor Corp (MrxCls.sys and MrxNet.sys)

Yeah, I know. That is one crazy worm.
Because of its complexity and sophistication, the knowledge it requires for attacking industrial infrastructure and the use of four deferent zero-day exploits, it is believed that the Stuxnet worm is a nation funded attack. Israel, the United States and NATO are the most speculated origins and the Bushehr Nuclear Power Plant or the Natanz nuclear facility are the most speculated targets. Whoever built it left almost no clues (b:\myrtus\src\objfre_w2k_x86\i386\guava.pdb). But in my opinion, with the amount of sophistication put in this attack, we’ll probably never get answers for these questions.

For further information and technical analysis of the Stuxnet worm I recommend reading:
– ESET analysis of the Stuxnet worm and compression to Operation Aurora – Stuxnet Under the Microscope or online on Google Docs.
– Symantec wrote some very detailed posts on Stuxnet – Symantec Connect.
– Langner security analysis of Stuxnet – Stuxnet is a directed attack — ‘hack of the century’.
– Securelist blog on Stuxnet.
– Stuxnet Questions and Answers by F-Secure.
– Symantec released a technical analysis white paper – W32.Stuxnet Dossier or online on Google Docs.

Update:
For anyone interested, here’s a sample of Win32/Stuxnet.A provided by Abysssec for educational purposes only – Stuxnet_stub_Unpacked.zip (password: abysssec).

Bruce Schneier: The Future of the Security Industry

Trancer — Mon, 27 Sep 2010 17:17:47 +0000

Here’s a bit old but still great presentation by Bruce Schneier about the future of the security industry. Nothing new, just wanted to share it. So if you haven’t seen this presentation yet, I strongly recommend you do.
OWASPMSP – Bruce Schneier: The Future of the Security Industry: IT is Rapidly Becoming a Commodity

Microsoft Windows Live Safety Scanner (OneCare) Download and Execute Exploit

Trancer — Tue, 21 Sep 2010 18:40:50 +0000

Here’s a vulnerability I’ve found in Microsoft Windows Live Safety Scanner (OneCare). I’m going full-disclosure with this vulnerability and I haven’t reported it to Microsoft because in my opinion, this vulnerability isn’t critical. Now let’s move on to the details.

Description:
A vulnerability has been found in Microsoft Windows Live Safety Center (OneCare) which allows an attacker to download and execute files (executables) to a victim machine.
User interaction is required to exploit this vulnerability. A user must open a local HTML file which initializes the Windows Live Safety Center ActiveX control (wlscCore.dll) and abuse the OneCareInstall() property to download and execute a file.
This vulnerability can only be exploited locally due to the safe for initialization and safe for scripting settings of the vulnerable ActiveX control, which are both set to False. This means exploitation is possible only from Local Machine Zone.
This vulnerability can be useful in various scenarios. For example, in a scenario when attacking a user via email, in the presence of an anti-virus system on the mail server which drops malicious content (such as executables), this exploit can come handy.

wlscCore.dll ActiveX details:
File: C:\Program Files\Windows Live Safety Center\wlscCore.dll
GUID: 55265A35-B335-44FE-BFB4-854E3461004D
Version: 1.12.6087.1
Safe for Script: False
Safe for Init: False
KillBitSet: False

Exploit successfully tested on the following platforms:
– Internet Explorer 6, Windows XP SP2
– Internet Explorer 7, Windows XP SP3
– Internet Explorer 8, Windows XP SP3

Credit:
Trancer of Recognize-Security (www.rec-sec.com)

Exploit – onecare_exploit.html

Novell iPrint Client ActiveX Control call-back-url Stack-based Buffer Overflow exploit (meta)

Trancer — Tue, 21 Sep 2010 15:38:10 +0000

And yet another Metasploit exploit module for Novell iPrint, this time for the Novell iPrint Client ActiveX control ‘debug’ stack-based buffer overflow vulnerability.

This vulnerability was originally discovered by Carsten Eiram of Secunia Research. Abysssec Security Team published a binary analysis of this vulnerability as a part of MOAUB.

This module exploits a stack-based buffer overflow in Novell iPrint Client version 5.42 and lower. When sending an overly long string to the ‘call-back-url’ parameter in an op-client-interface-version action of ienipp.ocx an attacker may be able to execute arbitrary code.

Exploit successfully tested on the following platforms:
– Novell iPrint Client 5.40 on Internet Explorer 7, Windows XP SP3
– Novell iPrint Client 5.42 on Internet Explorer 7, Windows XP SP3
– Novell iPrint Client 5.42 on Internet Explorer 7, Windows Vista SP2

Download novelliprint_callbackurl.rb.
Also on Metasploit and Exploit-Database #15072.

>> References:
CVE-2010-1527
OSVDB 67411
Original advisory by Carsten Eiram, Secunia Research
MOAUB #19 exploit
MOAUB #19 binary analysis

Novell iPrint Client ActiveX Control ‘debug’ Stack-based Buffer Overflow exploit (meta)

Trancer — Tue, 21 Sep 2010 15:15:06 +0000

Here’s a Metasploit exploit module I wrote for the Novell iPrint Client ActiveX control ‘debug’ stack-based buffer overflow vulnerability.

This vulnerability was originally discovered by Aaron Portnoy of TippingPoint DVLabs. Abysssec Security Team published a binary analysis of this vulnerability as a part of MOAUB.

This module exploits a stack-based buffer overflow in Novell iPrint Client version 5.40 and lower. When sending an overly long string to the ‘debug’ parameter in ExecuteRequest() property of ienipp.ocx an attacker may be able to execute arbitrary code.

Exploit successfully tested on the following platforms:
– Novell iPrint Client 5.32 on Internet Explorer 7, Windows XP SP3
– Novell iPrint Client 5.40 on Internet Explorer 7, Windows XP SP3
– Novell iPrint Client 5.40 on Internet Explorer 7, Windows Vista SP2

Download novelliprint_executerequest_dbg.rb.
Also on Metasploit and Exploit-Database #15073.

>> References:
CVE-2010-3106
OSVDB 66960
Original advisory by Aaron Portnoy, TippingPoint DVLabs
MOAUB #14 exploit
MOAUB #14 binary analysis

Advanced Heap Spraying Techniques

Trancer — Mon, 20 Sep 2010 07:52:24 +0000

In the January OWASP Israel meeting I did a presentation about new and advanced Heap Spraying techniques. It’s about time I publish it.

In the presentation I demonstrated two new techniques – Bitmap Heap Spraying and Silverlight Heap Spraying which I’ll publish here later on this week in addition to a few other new techniques, so stay tuned, it’ll be fun.

You can view the presentation online on Google Docs or you can download the slides here – Advanced Heap Spraying Techniques or from OWASP Israel.

Microsoft Internet Explorer iepeers.dll use-after-free exploit (meta)

Trancer — Wed, 10 Mar 2010 21:22:34 +0000

A new Microsoft Internet Explorer 0day exploit has been found circulating in-the-wild. According to Microsoft, there are targeted attacks attempting to use this vulnerability. Microsoft published a security advisory for this vulnerability here:
Microsoft Security Advisory (981374): Vulnerability in Internet Explorer Could Allow Remote Code Execution

The vulnerability is a use-after-free (invalid pointer reference) vulnerability within iepeers.dll and only Internet Explorer versions 6 and 7 are vulnerable. Internet Explorer 8 and 5 are not affected.

I’ve found this exploit in-the-wild on www.topix21century.com. The payload download and executes a binary file which connects back to notes.topix21century.com.
Here’s the exploit as it was found in-the-wild, a bit un-obfuscated and payload removed – ie_iepeers_wild.txt

And here’s a Metasploit exploit module for this vulnerability. Tested successfully on the following platforms:
– Microsoft Internet Explorer 7, Windows Vista SP2
– Microsoft Internet Explorer 7, Windows XP SP3
– Microsoft Internet Explorer 6, Windows XP SP3

Download ie_iepeers_pointer.rb.
Also on Metasploit.

As usual, this post will update with further references and updates when available.
Happy exploitation :-)

>> References:
CVE-2010-0806
OSVDB 62810
BID 38615
McAfee Labs Blog – Targeted Internet Explorer Zero-Day Attack Announced (CVE-2010-0806)
Symantec Connect – Zero-Day attack on IE6 – JS.Sykipot Doesn’t Spare Retired Software

>> Microsoft patched this vulnerability – MS10-018.

South River Technologies WebDrive Service Bad Security Descriptor Local Privilege Escalation exploit (meta)

Trancer — Tue, 26 Jan 2010 07:54:26 +0000

Here’s a local privilege escalation exploit I wrote, as a Metasploit Meterpreter script, for the South River Technologies WebDrive Service Bad Security Descriptor vulnerability.

This vulnerability was discovered by bellick of the Nine:Situations:Group and the original advisory can be found on the Nine:Situations:Group web site – South River Technologies WebDrive Service Bad Security Descriptor Local Elevation Of Privileges.
As you can understand from the advisory, local elevation of privileges is possible due to bad (empty actually) security descriptor of the South River Technologies WebDrive service.

This exploit was inspired by MC‘s HP PML Driver HPZ12 privilege escalation exploit.
In this exploit I’ve also added a mitigation option, which will set correct service security descriptor configuration for SRT WebDrive. Note that the vulnerability is still unpatched, exploit tested on the latest version of SRT WebDrive.

The exploit was successfully tested on the following platforms:
– South River Technologies WebDrive 9.02 build 2232 on Microsoft Windows XP SP3.

Download srt_webdrive_priv.rb.
Also on Metasploit and exploit-db.

References:
CVE-2009-4606
OSVDB 59080
BID 37955
exploit-db 9970

AOL 9.5 Phobos.Playlist Import() Stack-based Buffer Overflow exploit (meta)

Trancer — Mon, 25 Jan 2010 16:00:05 +0000

Wrote a new Metaspoit exploit module for the AOL 9.5 Phobos.Playlist ActiveX control Import() stack-based buffer overflow vulnerability.

This module exploits a stack-based buffer overflow within Phobos.dll of AOL 9.5. By setting an overly long value to ‘Import()’, an attacker can overrun a buffer and execute arbitrary code.

This vulnerability was found by Hellcode Research and was published recently by Dz_attacker. Still no patch from AOL, if you want to test it you can get the vulnerable package from the AOL 9.5 page.

The exploit was successfully tested on the following platforms:
– AOL 9.5 (Revision 4337.155) on Internet Explorer 7, Windows XP SP3

Phobos.dll version tested:
– File Version: 9.5.0.1
– ClassID: A105BD70-BF56-4D10-BC91-41C88321F47C
– RegKey Safe for Script: False
– RegKey Safe for Init: False
– Implements IObjectSafety: False
– KillBitSet: False

Due to the safe for initialization and safe for scripting settings of this ActiveX control, exploitation is possible only from Local Machine Zone, which means the victim must run the generated exploit file locally.

Download aol_phobos_bof.rb.
Also on Metasploit and exploit-db.

References:
OSVDB 61964
exploit-db 11204

Peter Van Eeckhoutte’s Exploit Writing Tutorials

Trancer — Fri, 22 Jan 2010 17:37:21 +0000

Hello everyone. If your in to exploit development or new to this and want to learn how to do it, here’s a series of tutorials by Peter Van Eeckhoutte (a.k.a corelanc0d3r), which I strongly recommend, that will give you solid knowledge in exploit writing.
Today Peter published the latest edition to his exploit writing tutorials about Win32 Egg Hunting. Check it out:

Enjoy the reading!

Recognize-Security on Twitter

Trancer — Thu, 21 Jan 2010 06:05:23 +0000

Hello readers,
From now on you can follow Recognize-Security on Twitter!
Check it out – @rec_sec

cPanel HTTP Response Splitting Vulnerability

Trancer — Thu, 21 Jan 2010 05:28:10 +0000

Security Advisory for cPanel and WHM (WebHost Manager) versions 11.25.
Vulnerabilities found:

HTTP Response Splitting vulnerability
Open Redirection vulnerability

cPanel HTTP Response Splitting Vulnerability – Security Advisory (PDF).
cPanel HTTP Response Splitting Vulnerability – Security Advisory (TXT).

I’d like to point out the lame work of the cPanel Security Team on these vulnerabilities. Usually when I report a vulnerability, I get some kind of interaction with the vendor developers and/or the security team, most of the times I enjoy working with the people involved. In this case, the cPanel Security Team were unresponsive. Eventually I was forced to release the security advisory even though one of the vulnerabilities (the Open Redirection vulnerability) is still unpatched.

References:
BID 37902
OSVDB 61954
exploit-db 11211

Nmap 5.20 released

Trancer — Thu, 21 Jan 2010 03:45:11 +0000

A new version of Nmap Security Scanner released today which is the first stable release since 5.00 – Nmap 5.20.
This version got tons of improvements such as improved UDP scanning, new Nmap Scripting Engine scripts, updated OS and version detection and more.
Check out the Change log and announcement of Nmap 5.20.
Download Nmap 5.20.

BackTrack Linux 4 released

Trancer — Thu, 21 Jan 2010 03:31:08 +0000

A new version for the penetration testers and security experts favorite Linux distrobution released – BackTrack Linux 4.

This version offers new tools, new kernel and tons of bug fixes. And, BackTrack Linux is no longer a part of remote-exploit.org, it got a new home at backtrack-linux.org.

I used the new version for the last couple of days and find it to be very useful and cool, recommended!
Download BackTrack Linux 4.