One Article Review
| Source |  Code White |
|---|---|
| Identifiant | 351863 |
| Date de publication | 2015-08-24 10:29:17 (vue: 2015-08-24 10:29:17) |
| Titre | How I could (i)pass your client security |
| Texte | Half a year ago I stumbled over a software called iPass Open Mobile during a Windows Client security review. iPass Open Mobile helps you in getting network connectivity over Wifi-Hotspots, modem, DSL, etc. It's widely deployed on Windows Clients in large corporations. SummaryFrom US CERT VU#110652: The iPass Open Mobile Windows Client versions 2.4.4 and earlier allows Remote Code Execution as SYSTEM. It utilizes named pipes for interprocess communication. One of the subprocesses spawned by the client runs with SYSTEM privileges. An authenticated user can register arbitrary DLL files, including ones located at UNC paths, by sending a specially-crafted unicode string to this subprocess to one of the named pipes. The DllMain function in the specified DLL file will then execute with SYSTEM privileges. Vulnerability DetailsThis software attracted my attention due to several processes that were running in the background, one of it being as NT-Authority/SYSTEM. The CLR binary iPlatformService.exe is running as a service, but starts two processes of iPlatformHost.exe, one as SYSTEM and another one as your user.  The Main method of class iPass.iPlatformHost.Program eventually creates an iPass.Bus.Bus instance. In the constructor of iPass.Bus.Bus two iPass.Bus.BusEngine objects are instantiated. The iPass.Bus.BusEngine will create a NamedPipeServerStream, accepting commands from CommandPipeAccessPrivillage.Everyone.  So what does CommandPipeAccessPrivillage.Everyone mean? Does it grant access to everyone? The method iPass.Bus.EPHelperCommandPipeServer.ServerThreadFunction() answers the question. Access is granted to the current user and to BUILTIN\Users which includes the Domain Users group of a windows domain!  Commands are processed by plugins registered at the iPass.Bus.Bus. In case of CVE-2015-0925 I focused on the plugin "iPass Software Update Assistant Plugin". It can be found in the default installation under C:\Program Files (x86)\iPass\Open Mobile\omsi\Plug-ins\iPass.SoftwareUpdateAssistant and has the plugin-id iPass.SWUpdateAssist.  Looking at the config file plugin.xml the command "RegisterCOM" caught my eye, as it was defined to be running in System context. |
| Envoyé | Oui |
| Condensat | vulnerability 0925 2015 accepting access accessed accessible active ago allow allowed allows also another answer answers arbitrary architecture are arg argument assistant attention attracted authenticated authority/system background bad based basically beginning being binary bugs builtin bus busengine but call called can case caught cert character choice class client clients clr code com command commandpipeaccessprivillage commands communication config connectivity constructor context corporate corporations could crafted create creates current cve data default defined deployed detailsthis directory dll dllmain does domain dsl due during earlier easily environments ephelpercommandpipeserver escalate etc eventually everyone exe execute executecommand executedll execution exploitationexploitation eye file files first fix focused found from full function getting grant granted group half has helps hop host hotspots how includes including ins installation instance instantiated interprocess invokes ipass ipefsyspcpipe iplatformhost iplatformservice just large later let local located long looked looking main mean method mobile mobiles modem more name named namedpipeserverstream needs network nevertheless object objects obvious omsi one ones open order osutil out over parameter pass passed path paths pathto payload pipe pipes place plug plugin pluginmanager plugins possibility possible privileges processed processes processpiperequestfunction program provides question questions read really reflection register registercom registered regsrv32 remote remotely removed restricted review running runs second security see send sending sent server serverthreadfunction service several since smb software softwareupdateassistant space spawned specially specified splitcommandline splits start starts static str str2 string stumbled subprocess subprocesses substring summaryfrom surprised swupdateassist system then trivial two unc under unicode update user users using utilizes versions vu#110652: vulnerability what which widely wifi will windows wouldn x86 xml year your |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.