Metasploit Project is developed by a group of skilled security researchers to provide people all over the world with penetration testing resources. The popular open source program Metasploit Framework, has been much improved since its early days, beating even commercial softwares.
Metasploit programs such as Metasploit Framework, Express and Pro are tools designed to perform penetration tests on different platforms, using different exploitation techniques and a large database of exploit codes with the goal to identify potentially exploitable flaws on clients and servers and give system administrators the opportunity to patch before the bad guys exploit them.
A local privilege escalation vulnerability exists in the Metasploit Framework 3.5.1 software on Windows systems, because the installer by default copies all the files to a folder (framework) in the root directory and does not enforce ACLs to prevent restricted users from writting files. The ACLs for directories created in the root drive by default permits restricted users to create folders and files in all subfolders.
By placing a DLL file in the %systemdrive%\framework\postgresql\bin it is possible to get it loaded by a program (postgres.exe) that is executed by the frameworkPostgreSQL´s service executable (pg_ctl.exe), every time the service starts, with NT AUTHORITY\SYSTEM user privileges, being able to run arbitrary code in the local system. Notice the service startup is set to automatic by default.
Possible Dll names :
- dnsapi.dll (warning: causes the service to be terminated silently)
- rasadhlp.dll
- hnetcfg.dll
Others exist but have not been tested.
Tested on Windows XP SP3 and Windows 7
References
http://blog.metasploit.com/2011/02/metasploit-framework-352-released.html
http://www.secumania.net/
http://secunia.com/advisories/43166/
http://www.securityf.../bid/46300/info
Metasploit programs such as Metasploit Framework, Express and Pro are tools designed to perform penetration tests on different platforms, using different exploitation techniques and a large database of exploit codes with the goal to identify potentially exploitable flaws on clients and servers and give system administrators the opportunity to patch before the bad guys exploit them.
A local privilege escalation vulnerability exists in the Metasploit Framework 3.5.1 software on Windows systems, because the installer by default copies all the files to a folder (framework) in the root directory and does not enforce ACLs to prevent restricted users from writting files. The ACLs for directories created in the root drive by default permits restricted users to create folders and files in all subfolders.
By placing a DLL file in the %systemdrive%\framework\postgresql\bin it is possible to get it loaded by a program (postgres.exe) that is executed by the frameworkPostgreSQL´s service executable (pg_ctl.exe), every time the service starts, with NT AUTHORITY\SYSTEM user privileges, being able to run arbitrary code in the local system. Notice the service startup is set to automatic by default.
Possible Dll names :
- dnsapi.dll (warning: causes the service to be terminated silently)
- rasadhlp.dll
- hnetcfg.dll
Others exist but have not been tested.
Tested on Windows XP SP3 and Windows 7
References
http://blog.metasploit.com/2011/02/metasploit-framework-352-released.html
http://www.secumania.net/
http://secunia.com/advisories/43166/
http://www.securityf.../bid/46300/info
No comments:
Post a Comment