Dec 31, 2009

8 years hacking Microsoft stuff, +50 vulnerabilities found

2009 is ending and I thought it would be nice to write down my personal record on Microsoft vulnerabilities. I started finding vulns in MS products in 2002 and these are most of them:

-Microsoft Biztalk Server ISAPI HTTP Receive function buffer overflow
-Microsoft Biztalk Server DTA vulnerable to SQL injection
http://www.microsoft.com/technet/security/bulletin/ms03-016.mspx

-Microsoft Commerce Server 2002 Weak Registry Key Permissions Weakness
http://archives.neohapsis.com/archives/fulldisclosure/2003-q3/0034.html

-Microsoft Active Server Pages Cookie Retrieval Issue
http://www.appsecinc.com/resources/alerts/general/05-0001.shtml

-Microsoft Windows LPC heap overflow
http://www.microsoft.com/technet/security/bulletin/MS04-044.mspx
http://www.appsecinc.com/resources/alerts/general/07-0001.shtml

-Microsoft Windows Utility Manager Local Elevation of Privileges
http://www.microsoft.com/technet/security/bulletin/MS04-019.mspx
http://marc.info/?l=bugtraq&m=108975382413405&w=2
http://www.milw0rm.com/exploits/350

-Microsoft Windows Utility Manager Local Elevation of Privileges II
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
http://www.appsecinc.com/resources/alerts/general/04-0001.shtml
http://www.milw0rm.com/exploits/271

-Microsoft Windows Improper Token Validation
http://www.appsecinc.com/resources/alerts/general/06-0001.shtml
http://www.microsoft.com/technet/security/bulletin/MS04-044.mspx
http://www.milw0rm.com/exploits/749

-Microsoft Windows GDI Kernel Local Privilege Escalation Vulnerability
http://www.microsoft.com/technet/security/Bulletin/MS07-017.mspx
http://www.argeniss.com/research/ARGENISS-ADV-110604.txt
http://www.argeniss.com/research/GDIKernelPoC.c

-Microsoft MSDTC COM+ Remote Code Execution Vulnerability
http://www.microsoft.com/technet/security/Bulletin/MS05-051.mspx

-Microsoft Windows 2000 TroubleShooter ActiveX Control Buffer Overflow Vulnerability
http://www.microsoft.com/technet/security/bulletin/ms03-042.mspx
http://marc.info/?l=ntbugtraq&m=106632192709608&w=2

-Microsoft Windows COM Structured Storage Local Privilege Escalation Vulnerability
http://www.microsoft.com/technet/security/bulletin/MS05-012.mspx
http://www.argeniss.com/research/hackwininter.zip
http://www.argeniss.com/research/WLSI.zip

-Microsoft Windows Thread Pool ACL Local Privilege Escalation Vulnerability
-Microsoft Windows RPCSS Service Isolation Local Privilege Escalation Vulnerability
-Microsoft Windows MSDTC Service Isolation Vulnerability
-Microsoft Windows WMI Service Isolation Local Privilege Escalation Vulnerability
http://www.microsoft.com/technet/security/bulletin/MS09-012.mspx
http://www.argeniss.com/research/TokenKidnapping.pdf
http://www.argeniss.com/research/Churrasco.zip
http://www.argeniss.com/research/Churrasco2.zip

-Microsoft Windows Shell Could Allow Remote Code Execution (2 vulns)
http://www.argeniss.com/research/MSBugPaper.pdf
http://www.microsoft.com/technet/security/Bulletin/MS05-049.mspx

-Microsoft SQL Server Heterogenous Queries Buffer Overflow
http://www.appsecinc.com/resources/alerts/mssql/02-0008.shtml
http://www.microsoft.com/technet/security/Bulletin/MS02-007.mspx

-Microsoft SQL Server xp_dirtree Buffer Overflow
http://www.appsecinc.com/resources/alerts/mssql/02-0007.shtml
http://www.microsoft.com/technet/security/Bulletin/MS02-020.mspx

-Microsoft SQL Server Buffer Overflows in numerous extended stored procedures (17 vulns)
http://www.appsecinc.com/resources/alerts/mssql/02-0000.shtml
http://www.microsoft.com/technet/security/Bulletin/MS02-020.mspx

-Microsoft SQL Server encoded password written by service pack
http://www.appsecinc.com/resources/alerts/mssql/02-0009.shtml
http://www.microsoft.com/technet/security/Bulletin/MS02-035.mspx

-Microsoft SQL Server BULK INSERT buffer overflow
http://www.microsoft.com/technet/security/bulletin/MS02-034.asp
http://www.appsecinc.com/resources/alerts/mssql/02-0010.shtml

-Microsoft SQL Server multiple buffer overflows in DBCC and SQL Injections (6 vulns)
http://www.appsecinc.com/resources/alerts/mssql/02-0011.shtml
http://www.microsoft.com/technet/security/Bulletin/MS02-038.mspx

-Microsoft SQL Server multiple vulnerabilities (5 vulns)
http://www.blackhat.com/presentations/win-usa-03/bh-win-03-cerrudo/bh-win-03-cerrudo.pdf

--------0--------

If you count them, they are 50 vulnerabilities in total, 14 are Microsoft Windows specific. Actually the real count should be +50, few not mentioned vulnerabilities were patched in service packs, new versions, not acknoledged by MS as vulnerabilities, etc.
Of course I'm not mentioning there the 0days I have, with them the count is >50, reaching 20 specific to MS Windows.

Microsoft should give me a prize someday ;)

Oct 27, 2009

Token Kidnapping's Revenge

Finally I got some free time to take a look at Windows for security issues, I was initialy amazed with Windows 7 and Windows 2008 R2 they looked really solid but after some time I started to find some issues.
These issues are not really dangerous (depending on the scenario) but allow to continue exploiting Windows using a new attack vector to perform Token Kidnapping (http://www.argeniss.com/research/TokenKidnapping.pdf) .
Don't get me wrong MS properly fixed the issues (http://www.microsoft.com/technet/security/bulletin/MS09-012.mspx) detailed in Token Kidnapping presentation but they didn't find/fix all the attack vectors.
With this new attack vector it's still possible to elevate privileges to Local System account from almost any process that has impersonation rights bypassing new Windows services protections such as Per service SID, Write restricted token, etc
Probably I will be presenting the findings at Hackers to Hackers Conference in Brazil (http://www.h2hc.com.br/) in a couple of weeks.

Apr 7, 2009

Opening Intranets to attacks by using Internet Explorer

I just released a whitepaper titled: Opening Intranets to attacks by using Internet Explorer, I hope you find it interesting, you can find it here http://www.argeniss.com/research/HackingIntranets.pdf


Enjoy.

Mar 16, 2009

Antivirus, antivirus, antivirus...

My last post was about a bug in an antivirus product, not big deal, all software has bugs.
I was kindly pointed to this article http://isc.sans.org/diary.html?storyid=6010 by Ryan Naraine, it's about an incident were one of my token kidnapping exploits was used, it's a weird feeling to know that some tool of yours was used in an attack but in the end it's not about the tools it's about the user, the intention, etc. anyways, what really surprized me was that no antivirus is detecting the exploits!!! we all know that antivirus suck but not being able to detect a very old exploit with signature analysis that really sucks.