-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco Security Agent for Windows System Driver
Remote Buffer Overflow Vulnerability
Advisory ID: cisco-sa-20071205-csa
http://www.cisco.com/warp/public/707/cisco-sa-20071205-csa.shtml
Procedure Calls (DCE/RPC over SMB) [1].
NTLM (NT Lan Manager) is a challenge-response authentication protocol
used by the SMB protocol [2].
Windows systems commonly use the SMB protocol with NTLM authentication
for network file/printer sharing and remote administration via DCE/RPC.
Flaws in Microsoft's implementation of the NTLM challenge-response
authentication protocol causing the server to generate duplicate
challenges/nonces and an information leak allow an unauthenticated
http://www.tippingpoint.com
-- Vulnerability Details:
This vulnerability allows remote attackers to force a Microsoft Windows
system to execute a given local executable. User interaction is required
in that the target must access a malicious URL.
The specific flaw exists within the ShellExecute API. Using a specially
formatted URL an attacker can bypass sanitization checks within this
function and force the calling application into running an executable of
users to gain SYSTEM privileges via a buggy driver installed by default.
In his/her post, Elia brings us an important clue:"At the moment, it's
still not clear how the driver is used by Windows because this file does
not have the typical Microsoft file properties present in other Windows
system files". Such a file it is not common so looking for this sort of
.sys we come across a couple of them. One of those drivers is
*secdrv.sys*, which is developed by Macrovision as part of SafeDisc.
Mario Ballano (48bits.com) and I we have been taking a look at the
driver and quickly found this interesting piece of code.
get launched by Firefox and inherit its CWD, but they also integrate a
vulnerable 3rd party library QtCore4.dll, which blindly tries to load
wintab32.dll whether this library is present on the system or not. In the
latter case (i.e., on most systems), this DLL is not found in either the
Firefox folder (%PROGRAMFILES%\Mozilla Firefox\) or any one of the Windows
system folders as specified by the search path, and is then looked for in
the CWD. If found there, wintab32.dll (planted by the attacker) is loaded
and executed.
(Note that Firefox is doing nothing wrong here. Its CWD is set
automatically by Windows Explorer upon user's double-clicking the HTML
> context of the vulnerable application.
>
> This is a LoadLibrary() load path bug. The load library
> search order is:
> 1. The directory from which the application loaded
> 2. 32-bit System directory (Windows\System32)
> 3. 16-bit System directory (Windows\System)
> 4. Windows directory (Windows)
> 5. Current working directory
> 6. Directories in the PATH environment variable As
> OracleOciLib is not used on target system, oci.dll does not
PWDumpX -clph IPInputFile.txt + +
PWDumpX -clph IPInputFile.txt administrator password
If an input list of remote systems is supplied, PWDumpX will attempt to
obtain the obtain the requested information from each remote Windows
system in a multi-threaded fashion (up to 64 systems simultaneously).
==========
Tool location: http://reedarvin.thearvins.com/tools/PWDumpX14.zip
gain SYSTEM privileges via a buggy driver installed by default.
In his/her post, Elia brings us an important clue:"At the moment, it’s
still not clear how the driver is used by Windows because this file does
not have the typical Microsoft file properties present in other Windows
system files". Such a file is not common so looking for this sort of
.sys we come across a couple of them. One of those drivers is
secdrv.sys, which is developed by Macrovision as part of SafeDisc.
Mario Ballano (48bits.com) and I we have been taking a look at the
driver and quickly found this interesting piece of code.
//----- Description of vulnerability
The File System Filter driver is prone to a local kernel buffer overflow.
This vulnerability allows an intruder to gain SYSTEM privileges on a Windows
system from a limited user account.
//----- Proof Of Concept
http://www.sysdream.com/LocalEscalation_Avast.rar
II. DESCRIPTION
DNS tunnelling involves inserting data into the DNS packet using "space" in the packet that can take additional data. For example, A DNS packet can contain a TXT record into which any text, up to 220 bytes, can be inserted. You fragment the data, maybe an HTTP request, add it to the packet, and send the modified DNS traffic over the web to a receiving server. It recompiles the sent data, and enables internet access. DNS packets can be used to transfer extra data and this is why they should be controlled by firewalls as any other packets.
III. ANALYSIS
Windows DNS API using can help an attacker to make data transfer possible. If the successfull recursive DNS query for “x-site” is done, it is possible to transfer information from your computer past personal and network firewalls. There is a "stealth" way of DNS connectivity checking using Windows System Services (services.exe / svchost.exe) and if it is not controlled there is a possibility of covert channel creating.
Additional links:
NSTX-suite by Florian Heinz and Julien Oster (http://nstx.dereference.de)
Gray-World NET Team (http://gray-world.net/papers.shtml)
A potential security vulnerability has been identified with HP System Management Homepage (SMH) for Windows on systems which are also running HP Version Control Agent (VCA) or Version Control Repository Manager (VCRM). The vulnerability may result in the incomplete installation of OpenSSL updates, including security updates.
References: none
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP System Management Homepage (SMH) on Windows systems which are also running HP Version Control Agent (VCA) or Version Control Repository Manager (VCRM)
BACKGROUND
Updates to HP System Management Homepage (SMH) on Windows systems which are also running HP Version Control Agent (VCA) or Version Control Repository Manager (VCRM) may leave the previous OpenSSL software active in memory until the system is rebooted.
CiscoWorks IPM versions 2.6 and earlier for Windows contain a buffer
overflow vulnerability when processing Common Object Request Broker
Architecture (CORBA) GIOP requests. By sending a crafted CORBA GIOP
request, a remote, unauthenticated attacker may be able to trigger
the buffer overflow condition and execute arbitrary code with SYSTEM
privileges on affected Windows systems. This vulnerability is
documented in Cisco Bug ID CSCsv62350 and has been assigned the
Common Vulnerabilities and Exposures (CVE) CVE-2010-0138.
Vulnerability Scoring Details
=============================
