Tool: Identify vulnerable share permissions to prevent data leakage

Posted on January 25, 2011 by Gary O'leary-Steele

Windows File Sharing Vulnerabilities

Windows file sharing permissions are based on the popular  Discretionary Access Control (DAC) model, this essentially means that the owner of the resource uses his or her  discretion when deciding who should be permitted access. Access is granted to either an individual user or a group of users, unfortunately file shares are rarely configured with security as a top priority and the course of least resistance is often applied. Vulnerabilities commonly arise when access to a confidential resource is granted to a group containing users who should not permitted to access it, or generalised group such as “Everyone” has erroneously been included.

Download: ShareCheck

 

 

Sec-1 ShareCheck

Sec-1 ShareCheck was written during a penetration test to assess  a given IP Address range for weak file share permissions. The  output of the tool produces a HTML table containing:

  • The IP Address
  • Account Lockout Threshold
  • A list of Local Administrators
  • Shares which the supplied user can access
  • Shares which the  supplied user can write to

In the course of a penetration test local administrator accounts could then be targeted in an attempt to compromise the host and network.

Usage

ShareCheck is a command line tool written in Python.

To use ShareCheck configure a user account with limited permissions, i.e. a regular user. The results of running ShareCheck will illustrate what this user can and cannot access.

Command line example:

Assess the IP range 192.168.0.1-254 using the username “Bob” and the password “datastealer” and will save the results in report.html:

sharecheck.exe 192.168.1.0/24 bob datastealer report.html
Posted in Tools | 1 Comment

Paper: Buffer Truncation Abuse in Microsoft SQL Server Based Applications

Posted on October 12, 2007 by Gary O'leary-Steele

This paper is designed to document an attack technique Sec-1 recently adopted during the course of their application assessments. The basic principal of this technique has existed for some time; however we hope this paper we will provide an insight of how a variation of the technique can be adopted to attack common forgotten password functionality within web applications.

The document is split into two sections. The first section covers the principals of the technique and the second is an attack case study against a commercial application.

Download: Buffer Truncation Abuse Paper

Posted in White Papers | Leave a comment

Advisory: Collaboration Data Objects Buffer Overflow Vulnerability

Posted on October 12, 2005 by Gary O'leary-Steele 
                                SEC-1 LTD.
                              www.sec-1.com


Collaboration Data Objects Buffer Overflow Vulnerability
Application: Multiple Applications that implement CDO
Platform:Windows
Severity: Critical. Remote Code Execution
Author: Gary O'leary-Steele
Vendor Status:Patch Released
CVE Candidate:CAN-2005-1987
Reference:http://www.sec-1.com
Disclosed:12/October/2005
Vulnerability Details:

Sec-1 has identified an exploitable Buffer Overflow within Collaboration Data
Objects (Cdosys.dll and Cdoex.dll). The vulnerability exists when event sinks
are used within Microsoft Exchange 2000 or Microsoft Mail services to parse
Email content. Several Content Security packages were identified to be vulnerable.
The vulnerability can be exploited by crafting an email with a large header
name such as "Content-Type<LARGE STRING>:". A failiure to correctly determine
the length of the string results in a stack overflow. Sucessful exploitation
of the vulnerability could allow the attacker to gain complete control of the
vulnerable host. In somecases the vulnerability can also be used to bypass
content security mechanisms such as virus and content scanners. 
http://www.microsoft.com/technet/security/bulletin/MS05-048.mspx
Exploit Download: cdo_exploit
Posted in Advisories | Leave a comment

Advisory: GFI MailSecurity 8.1 Web Module Buffer Overflow

Posted on October 10, 2005 by Gary O'leary-Steele

SEC-1 LTD.
www.sec-1.com

Release Date: 12/October/2005
Application: GFI MailSecurity For SMTP version 8.1
Severity: Remote Code Execution
Author: Gary O’leary-Steele
Vendor Status: Patch Released
Reference: http://www.sec-1.com

Overview:

Taken from gfi.com

GFI MailSecurity for SMTP is a Content filtering, anti-virus and
Email Intrusion prevention product from GFI. GFI MailSecurity
is available as an SMTP gateway version and for VS API.
The gateway version should be deployed at the perimeter
of the network as a mail relay server and scans inbound and
outbound mail. The VS API version integrates seamlessly with
Exchange Server 2000/2003 and scans the Exchange information stores.
Both versions can be deployed simultaneously to achieve optimum
protection.

Vulnerability Details:

Sec-1 has identified an exploitable Buffer Overflow within the HTTP
management interface. By sending large strings within several areas
of the HTTP request (such as a large ‘Host’ or ‘Accept’ header)
critical portions of memory are overwritten. The vulnerability can be
easily recreated using a HTTP fuzzer such as the @stake webproxy.
Successful exploitation of the vulnerability could allow the attacker
to gain complete control of the vulnerable host.

Vendor Response:

The vendor has released information and a patch

KB: http://kbase.gfi.com/showarticle.asp?id=KBID002451
Patch: ftp://ftp.gfi.com/patches/MSEC8_PATCH_20050919_01.zip

Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues.  These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.
Copyright 2005 Sec-1 LTD. All rights reserved.

Posted in Advisories | Leave a comment

Advisory: RSA SecurID Web Agent Heap Overflow

Posted on June 6, 2005 by Gary O'leary-Steele
Sec-1 Security Advisory
Advisory Name : RSA SecurID Web Agent Heap Overflow
Release Date : 06-05-2005
Application : RSA SecurID Web Agent 5 & 5.2 & 5.3
Platform : Windows 2000 / IIS
Severity : Remote Code Execution
Author : Gary O’Leary-Steele
Reported : See time line section below
Vendor Status : See vendor statement in vendor response below
Website : http://www.sec-1.com/blog
Overview:
RSA SecurID(R) is a popular strong authentication package deployed using a number of variety of hardware or software authentication tokens. RSA SecurID(R) two-factor authentication is based on something you know (a
password or PIN), and something you have (an authenticator) – providing a much more reliable level of user authentication than reusable password.
Vulnerability Summary:
Sec-1 has identified a exploitable Heap Overflow within the Web Agent which could be used to execute code with LocalSystem privileges. Using the chunked-encoding mechanism to send a large “chunk” of data it is possible to
overwrite critical portions of the heap which could lead to remote code execution or a denial of service condition. Sec-1 were able to exploit this vulnerability to gain remote access to a Windows IIS installation (Windows 2000 SP4 + all current MS Patches) with the RSA SecurID web agent installed.
Exploit:
A proof of concept exploit has been provided to RSA.
Exploit: InsecureIDa
Timeline:

29-02-2004 : Directly contacted RSA via all public addresses, worked with another security consultancy in attempt to contact RSA product security team.
04-2005 : RSA contacted via telephone
15-04-2005 : NISCC informed (http://www.niscc.gov.uk/)
18-04-2005 : Reverse shell proof of concept sent to RSA for v5.2 of product
18-04-2005 : RSA send version 5.3 of product of testing
19-05-2005 : Initial proof of concept sent to RSA for v5.3 of product
21-04-2005 : RSA confirm crash within product
22-04-2005 : Reliable reverse shell proof of concept sent to RSA for v5.3 of product
25-04-2005 : RSA send patch for testing
05-05-2005 : RSA release patch
06-05-2005 : Disclosure
Vendor Response:
RSA have made a patch available for this vulnerability: To get this new patch and documentation, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com and click “Downloads” in the left navigation menu. Then, click “Fixes by Product”, click “RSA SecurID”, and “Authentication Agent 5.x”, and select the downloads and documentation that pertain to your environment.
Common Vulnerabilities and Exposures (CVE) Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.
CVE : CAN-2005-1471
Copyright 2011 Sec-1 LTD. All rights reserved.
Posted in Advisories | Leave a comment

Advisory: Cain & Abel PSK Sniffer Heap overflow

Posted on March 16, 2005 by Gary O'leary-Steele 
                                SEC-1 LTD.
                              www.sec-1.com

Advisory Name: Cain & Abel PSK Sniffer Heap overflow
Release Date: 18/03/2005
Application: Cain & Abel 2.65

Platform: Windows
Severity: Remote Code Execution
Author: Gary O'leary-Steele

Vendor Status: Fixed 16/03/2005

Overview:

Cain & Abel is a password recovery tool for Microsoft Operating Systems.
It allows easy recovery of various kind of passwords by sniffing the network,
cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis
attacks, recording VoIP conversations, decoding scrambled passwords, revealing
password boxes and analyzing routing protocols.

Details:

Sec-1 has identified a exploitable Heap Overflow within the PSK Sniffer
which could lead arbitary code execution. By sending a large 'ID' parameter
within the IKE packet it is possible to overwrite critical portions of the heap
which could lead to remote code  execution or a denial of service condition. 

Sec-1 were able to exploit this vulnerability by overwriting the
pointer to RtlEnterCriticalSection()

Vendor Response:

Fixed. Download and install the latest version

Exploit: cain

Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues.  These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

Copyright 2004 Sec-1 LTD. All rights reserved.
Posted in Advisories | Leave a comment