InfoSec News

Metasploits Service Trusted Path Privilege Escalation exploit takes advantage of unquoted service paths vulnerability outline in CVE-2005-1185, CVE=2005-2938 and CVE-2000-1128. The vulnerability takes advantage of the way Windows parses directory paths to execute code. Consider the following command line.

C:\windows\system32\notepad \temp\file.txt

This tells windows to launch notepad.exe from the c:\windows\system32\ directory and pass it the argument \temp\file.txt. The result is notepad.exe will execute and begin editing file.txt from the temp directory. How does Windows differentiate between the program and the arguments? The SPACE is used as a delimiter between the program to execute and the arguments. Now consider this command line.

C:\program files\Microsoft Office\Winword.exe

If space is used as a delimiter, wouldnt Windows think you are trying to execute the program C:\PROGRAM.EXE and pass it the argument files\Microsoft Office\Winword.exe? Or maybe you are trying to execute C:\Program files\Microsoft.exe and pass it the argument Office\Winword.exe? So how does it know what you are trying to do? If the software developer places quotation marks around the path then Windows knows the spaces are spaces and not delimiters. If the software developer fails to put the path in quotes then Windows just doesnt know. If Windows doesnt know then it tries to execute all the possible programs in the path. First it tries C:\Program.exe, Then, it tries C:\Program files\Microsoft.exe and finally the path we intended for it to execute.

This programming error is very common because when a developer is addressing paths on the file system they are usually stored in strings. Because they are in strings the developer has used quotes once already and they often fail to consider that they need two sets of quotes. For example, the following line would incorrectly assign the path variable.

pathvariable = C:\Program Files\Common Files\Java\Java Update\jusched.exe

Really, the developer needs to double quote it because they need the path to contain quotes. So they should have assigned their variable by doing something like this:

pathvariable = \\C:\Program Files\Common Files\Java\Java Update\jusched.exe\\

In the first case, an attacker can strategically place a program in the path and his program will be executed instead of the intended program. If the process runs under administrative privileges or some account other than the attacker it can be used to cause code to execute under a different set of privileges.

We have known about these types of vulnerabilities for 12 years now. So much so, that if you create a file called c:\program.exe Windows will generate this pop up when you reboot the machine.

With such an old vulnerability, surely very few programs suffer from this problem, right? You might be surprised at how often this vulnerability occurs. So lets start fixing it! This is an easy problem to identify. Here are some steps you can follow to identify applications that fail to quote their file paths directly. Then you can help fix this by contacting the vendor to have them fix these issues.

First you need to copy any existing executable and create a program named c:\program.exe. For example, take a copy of calc.exe and name it c:\program.exe. Then make a copy of calc.exe named c:\program files\common.exe. Last, create a copy of calc.exe called c:\documents.exe. Then go about your business and use your computer as you normally would. Sometime while you are running normal applications they will accidently launch the renamed calc.exe. System reboots, services and scheduled tasks may trigger calculator. Whatever the cause, eventually you will likely run a vulnerable program and it will launch the application on your computer. Several days may transpire between the time you create the files and the time they are executed. Remember you did this when you have strange copies of calc.exe spontaneously launching on your computer. Once one your copy of calculator executes, first find out which one of your calc.exe programs launched and who launched it. Use WMIC to query which copy of your calculator is running like this.

Here you can see this query for program.exe returns the command line that was executed when our executable launched. This program failed to properly quote the system paths and launched your renamed program. Often times you may be able to identify the vendor responsible for the software from just the command line that launched your program. But often times it is also useful to know the parent process that launched the command line that started your program. To find out what program launched the unquoted path we use the following commands.

There you go bug hunter. You found a 0-Day vulnerability! Now notify the vendor so they can patch it and keep everyone safe. While you are at it you can notify us if you would like.

Join me in San Antonio Texas November 27th for SANS504 Hacker Techniques, Exploits and Incident Response! Register Today!!

Follow me on Twitter @MarkBaggett

Mark Baggett
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Just as mobile operators start to get their networks back up in most areas affected by Hurricane Sandy last week, another storm is heading for the region that was hardest hit.
A federal judge in Ohio today rejected claims by Ohio Green Party co-chairman Bob Fitrakis that software that was recently installed on vote tabulation machines in more than two-dozen counties in the state, posed a threat to the integrity of ballots cast in today's General Election.
Microsoft will provide information about the location and quality of free Wi-Fi hotspots in Windows Phone 8 so users can find the best nearby networks.
Google has released a Chrome browser update with a video decoding enhancement that the company claims will help users save battery life.
An electronic voting machine was temporarily taken out of service in Perry County, Pa., after a voter filmed it changing his vote for President Obama into one for Gov. Mitt Romney.
Microsoft makes more than $300 on each Surface RT tablet it sells, showing that the company has adopted the business model of its rival, Apple, analysts said.
About 200 Android applications currently hosted on Google Play create spoofed SMS messages on the devices they are installed on, according to security researchers from antivirus vendor Symantec.
Nextel, an upstart mobile operator formed in the 1990s that attracted a loyal following in construction and other trades, looks set to disappear after Japan's Softbank buys 70 percent of Sprint Nextel.
Microsoft will shut down Windows Live Messenger next year, compelling users to migrate to Skype, whose latest version can import users' Messenger contacts.
IBM announced the Storwize V3700 storage array, which starts at $11,000 and is one of the lowest-priced storage products the company offers.
Hewlett-Packard is incorporating three different components, previously available separately, into its HP Unified Functional Testing (UFT) automated testing application so developers can test all aspects of a multi-tiered application from a single interface.
A federal court is expected to rule soon on a motion for a temporary restraining order filed by Ohio Green Party co-chair Bob Fitrakis seeking the removal of software that was installed on central vote tabulation machines in over two dozen Ohio counties.
Vulnerable, superfluous/outdated/deprecated/superseded 3rd party OCXs and DLLs distributed by and installed with Dataram RamDisk 4.0.0
Intel gained PC microprocessor market share over Advanced Micro Devices during the third quarter, but worldwide shipments of x86 chips declined at rates not seen in more than a decade, according to Mercury Research.
Security researcher Tavis Ormandy discovered critical vulnerabilities in the antivirus product developed by U.K.-based security firm Sophos and advised organizations to avoid using the product on critical systems unless the vendor improves its product development, quality assurance and security response practices.
Gartner report that 1.2 billion smart devices will be purchased in 2013, breaking the 1 billion mark for the first time.
Trojan highlights need to tune automated detection systems to spot malicious software attempting to use Windows hooks, expert says.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Microsoft is building a 7-in. mini Surface tablet focused on gaming, possibly called the Xbox Surface, according to reports.
The move to allow voters in New Jersey to cast votes via email or fax may be running into early problems, according to reports.
AT&T today announced prices for the three Windows Phone 8 smartphones it will sell over the holiday season, including a $99.99 price tag for the Nokia Lumia 920 with a two-year contract,
Fixes for the 24 vulnerabilties warned of last week in the Plone CMS are now available. The issues include privilege escalation and running arbitrary code; the developers recommend installing the hotfix on all versions of the CMS software

A security researcher at North Carolina State University has discovered a security vulnerability in Android that allows attackers to send fake text messages to users

Security expert Tavis Ormandy has revealed security problems in anti-virus software from Sophos. The company has already distributed patches

Oracle's Java and Adobe products such as Flash Player and Reader are updated too infrequently. Microsoft's update agents, by contrast, have improved

[security bulletin] HPSBHF02699 SSRT100592 rev.2 - HP ProLiant SL Advanced Power Manager (SL-APM), Remote User Validation Failure
SQL Injection Vulnerability in OrangeHRM
Multiple Vulnerabilities in LibreOffice
Claws Mail 'strchr()' Function NULL Pointer Denial of Service Vulnerability
Linux Kernel 'tcp_illinois_info()' Local Denial of Service Vulnerability
Oracle MySQL Server CVE-2012-3160 Local Security Vulnerability
Wisecracker 1.0 - A high performance distributed cryptanalysis framework
multiple critical vulnerabilities in sophos products
British chip designer Imagination Technologies plans to acquire the operating business of processor maker MIPS Technologies, as well as some of its patents, in an effort to strengthen its position on smartphones.
Microsoft has confirmed what many had suspected, that it didn't offer a 16GB Surface RT tablet because there would have been virtually no room for customer content on the device.
As more and more companies migrate to the cloud, corporate IT staffers wonder if they'd have better opportunities working for a service provider. IT veterans who've made the jump discuss the pros and cons of working for a cloud service provider.
Google's mobile maps product saw its market share in China decline by close to 50% in the third quarter due to Apple switching to its own maps product for its iOS 6 upgrade, according to a Beijing-based research firm.
Verizon Wireless is closing down its app store by January next year, it said in a notice on its developer community portal.
If there is one word that has defined this year, it's "uncertainty." It has been hanging over almost every economic and job growth analysis related to IT. Blame the elections, the fiscal cliff and Europe.
EMC today unveiled upgrades across its Documentum content management and Captiva document capture product lines.
The new version includes two useful security features, about which Google has kept surprisingly quiet until now. One of these is an anti-virus application which warns users prior to installation of known malware


Posted by InfoSec News on Nov 06


Analysis by Rossella Lorenzi
Discovery News
Nov 5, 2012

British intelligence agents are working on deciphering a coded message
that has remained a secret for nearly 70 years -- attached to the leg of
a hero World War II carrier pigeon.

Found in the chimney of 17th-century home in Bletchingley, Surrey, the
bird's skeleton was found in 1982 when the home's current...

Posted by InfoSec News on Nov 06


By Tony Capaccio
Nov 5, 2012

China is “the most threatening actor in cyberspace” as its intelligence
agencies and hackers use increasingly sophisticated techniques to gain
access to U.S. military computers and defense contractors, according to
the draft of an annual report mandated by Congress.

Chinese hackers are moving into...

Posted by InfoSec News on Nov 06


By Ellen Messmer and Brandon Butler
Network World
November 05, 2012

Hackers apparently linked to the hactivist group Anonymous today kept up
a hacking spree to dump data they said they stole from Symantec, VMware,
PayPal, Hyundai, and the U.S. Department of Energy and Transportation,
among others.

Symantec says it's still "investigating the recent claims made...
EMC NetWorker 'nsrd' RPC Service Format String Vulnerability
Internet Storm Center Infocon Status