Dec 31, 2009

8 years hacking Microsoft stuff, +50 vulnerabilities found

2009 is ending and I thought it would be nice to write down my personal record on Microsoft vulnerabilities. I started finding vulns in MS products in 2002 and these are most of them:

-Microsoft Biztalk Server ISAPI HTTP Receive function buffer overflow
-Microsoft Biztalk Server DTA vulnerable to SQL injection
http://www.microsoft.com/technet/security/bulletin/ms03-016.mspx

-Microsoft Commerce Server 2002 Weak Registry Key Permissions Weakness
http://archives.neohapsis.com/archives/fulldisclosure/2003-q3/0034.html

-Microsoft Active Server Pages Cookie Retrieval Issue
http://www.appsecinc.com/resources/alerts/general/05-0001.shtml

-Microsoft Windows LPC heap overflow
http://www.microsoft.com/technet/security/bulletin/MS04-044.mspx
http://www.appsecinc.com/resources/alerts/general/07-0001.shtml

-Microsoft Windows Utility Manager Local Elevation of Privileges
http://www.microsoft.com/technet/security/bulletin/MS04-019.mspx
http://marc.info/?l=bugtraq&m=108975382413405&w=2
http://www.milw0rm.com/exploits/350

-Microsoft Windows Utility Manager Local Elevation of Privileges II
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
http://www.appsecinc.com/resources/alerts/general/04-0001.shtml
http://www.milw0rm.com/exploits/271

-Microsoft Windows Improper Token Validation
http://www.appsecinc.com/resources/alerts/general/06-0001.shtml
http://www.microsoft.com/technet/security/bulletin/MS04-044.mspx
http://www.milw0rm.com/exploits/749

-Microsoft Windows GDI Kernel Local Privilege Escalation Vulnerability
http://www.microsoft.com/technet/security/Bulletin/MS07-017.mspx
http://www.argeniss.com/research/ARGENISS-ADV-110604.txt
http://www.argeniss.com/research/GDIKernelPoC.c

-Microsoft MSDTC COM+ Remote Code Execution Vulnerability
http://www.microsoft.com/technet/security/Bulletin/MS05-051.mspx

-Microsoft Windows 2000 TroubleShooter ActiveX Control Buffer Overflow Vulnerability
http://www.microsoft.com/technet/security/bulletin/ms03-042.mspx
http://marc.info/?l=ntbugtraq&m=106632192709608&w=2

-Microsoft Windows COM Structured Storage Local Privilege Escalation Vulnerability
http://www.microsoft.com/technet/security/bulletin/MS05-012.mspx
http://www.argeniss.com/research/hackwininter.zip
http://www.argeniss.com/research/WLSI.zip

-Microsoft Windows Thread Pool ACL Local Privilege Escalation Vulnerability
-Microsoft Windows RPCSS Service Isolation Local Privilege Escalation Vulnerability
-Microsoft Windows MSDTC Service Isolation Vulnerability
-Microsoft Windows WMI Service Isolation Local Privilege Escalation Vulnerability
http://www.microsoft.com/technet/security/bulletin/MS09-012.mspx
http://www.argeniss.com/research/TokenKidnapping.pdf
http://www.argeniss.com/research/Churrasco.zip
http://www.argeniss.com/research/Churrasco2.zip

-Microsoft Windows Shell Could Allow Remote Code Execution (2 vulns)
http://www.argeniss.com/research/MSBugPaper.pdf
http://www.microsoft.com/technet/security/Bulletin/MS05-049.mspx

-Microsoft SQL Server Heterogenous Queries Buffer Overflow
http://www.appsecinc.com/resources/alerts/mssql/02-0008.shtml
http://www.microsoft.com/technet/security/Bulletin/MS02-007.mspx

-Microsoft SQL Server xp_dirtree Buffer Overflow
http://www.appsecinc.com/resources/alerts/mssql/02-0007.shtml
http://www.microsoft.com/technet/security/Bulletin/MS02-020.mspx

-Microsoft SQL Server Buffer Overflows in numerous extended stored procedures (17 vulns)
http://www.appsecinc.com/resources/alerts/mssql/02-0000.shtml
http://www.microsoft.com/technet/security/Bulletin/MS02-020.mspx

-Microsoft SQL Server encoded password written by service pack
http://www.appsecinc.com/resources/alerts/mssql/02-0009.shtml
http://www.microsoft.com/technet/security/Bulletin/MS02-035.mspx

-Microsoft SQL Server BULK INSERT buffer overflow
http://www.microsoft.com/technet/security/bulletin/MS02-034.asp
http://www.appsecinc.com/resources/alerts/mssql/02-0010.shtml

-Microsoft SQL Server multiple buffer overflows in DBCC and SQL Injections (6 vulns)
http://www.appsecinc.com/resources/alerts/mssql/02-0011.shtml
http://www.microsoft.com/technet/security/Bulletin/MS02-038.mspx

-Microsoft SQL Server multiple vulnerabilities (5 vulns)
http://www.blackhat.com/presentations/win-usa-03/bh-win-03-cerrudo/bh-win-03-cerrudo.pdf

--------0--------

If you count them, they are 50 vulnerabilities in total, 14 are Microsoft Windows specific. Actually the real count should be +50, few not mentioned vulnerabilities were patched in service packs, new versions, not acknoledged by MS as vulnerabilities, etc.
Of course I'm not mentioning there the 0days I have, with them the count is >50, reaching 20 specific to MS Windows.

Microsoft should give me a prize someday ;)

5 comments:

Nico Waisman said...

Gran numero! Una trayectoria profesional.

Felicitaciones

Leonardo Pigñer said...

Awesome man! Congratulations and keep hacking ;-)

Hernán M. Racciatti said...

Hey! Congrats!, now... no more free bugs :P

Cesar Cerrudo said...

Thank you guys

BloggerPete said...

Nice work!
I just have to wonder why you would waste your brain power of such a lame OS.
There are so many other OS's that you could be working on and doing functional work verses finding broken pieces of a broken OS.
Sorry if I offend any but Microsoft is such a waste of time.

What OS were you using when PC-DOS was released in the wild?
I was using the version, "CPM-86" that Mr. Bill, "I copy the best and steal the rest" plagiarized and sold to IBM as PC-DOS!
It was disgusting!
Still is!