Thursday, November 02, 2006

Conversation with HD Moore on the 5 month old "0-day"

I was lucky enough to get to speak with HD Moore in order to try and gain a better understanding of the "0-day" that has been packaged with Metasploit since August 2006.

Apparently HDM found a vulnerability in an ActiveX control in IE, then discovered he could apply that same exploit to several MS Products. For those who think HD doesnt follow responsible disclosure guidelines, read on:

The Background posts on FD

Offline Conversation (reprinted with permission):

JP): I laughed my ass off
JP): Guess their massive focus on security doesnt
JP): involve looking at Metasploit every month or two lol

JP): Hey man,
JP): I may have not gotten enough sleep,(but)
JP): MS sez WmiScriptUtils.dll is the faulting module for the
JP): Visual studio bug, but you sent a link to an IE exploit..
JP): Whats up with that?

HDM): That patched a completely unrelated ActiveX.
HDM): The type of vulnerability is almost generic -- thats
HDM): why the exploit is called ie_createobject and isn't
HDM): speciifc to that patched vulnerability.

JP): ahh, I see, you take the generic vuln and applied it
JP): to many dll's that have that function, including the
JP): -WMIScriptUtils.WMIObjectBroker 2.1 in the module.
JP): While MS fixed it inthe IE component, they neglected the
JP): others and now it came and bit them in the @$$

HDM): Yup. They fixed the older one, but did not take
HDM): action when I reported this to them 5 months ago.

And here is HD explaining how this could be cross platform to a layman
Quick summary:

The MS06-014 bug was just one instance of a pretty common vulnerability in
ActiveX Objects. Some objects expose a method that allows new objects to
be created through them. If any of these objects are marked as safe for
scripting, its possible to create abtrirary COM instances through
a 'safe' object (leading to pwnage).

I went to write the MS06-014 exploit and realized I had a bunch of other
ways to exploit the same type of flaw. I added the WMI bug to the list
and then followed it by a set of usually-restricted COMs that have the
same feature. If the system is misconfigured or is using an old version
of Office, almost any of those 'targets' in the exploit can be used to
run arbitrary code :-)
JP): Gotcha! (Finally!)
JP): thanks for the explanation, this is the kind of s#!t that I learn from!

HDM): Glad I can help :-)


(Reprinted with Permission of HD Moore)



Post a Comment

<< Home