Friday, 31 October 2008

[New Paper] Reflective Dll Injection

Just released a new paper about Reflective Dll Injection.

Abstract:

Reflective DLL injection is a library injection technique in which the concept of reflective programming is employed to perform the loading of a library from memory into a host process. As such the library is responsible for loading itself by implementing a minimal Portable Executable (PE) file loader.

You can download the paper here:
http://www.harmonysecurity.com/files/HS-P005_ReflectiveDllInjection.pdf

And the PoC code here:
http://www.harmonysecurity.com/files/ReflectiveDllInjection_v1.0.zip

Support for Reflective DLL Injection has also been added to Metasploit in the form of a payload stage and a modified VNC DLL.
http://www.metasploit.com/

Tuesday, 14 October 2008

Microsoft Host Integration Server 2006 Command Execution Vulnerability

iDefense have published an advisory for a critical remote command execution vulnerability (CVE-2008-3466 and MS08-059) in Microsoft's Host Integration Server which was discovered by Stephen Fewer of Harmony Security. The specific versions affected are as follows:

  • Microsoft Host Integration Server 2006 Enterprise Edition (both x86 & x64 based systems)
  • Microsoft Host Integration Server 2006 (both x86 & x64 based systems)
  • Microsoft Host Integration Server 2004 Service Pack 1, when used with:
    • Microsoft Host Integration Server 2004 Enterprise Edition
    • Microsoft Host Integration Server 2004 Standard Edition
  • Microsoft Host Integration Server 2000 SP2, when used with:
    • Microsoft Host Integration Server 2000 Standard Edition

You can read the full iDefense advisory here:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=745

And the Microsoft advisory here:
http://www.microsoft.com/technet/security/bulletin/ms08-059.mspx

Update: SecurityFocus has a news item mentioning this vulnerability which you can read here:
http://www.securityfocus.com/brief/838

It contains a nice quote from Sheldon Malm of nCircle about the vulnerability and software in question. As quoted from the article:

"Host Integration Server is the de facto gateway linking Windows hosts to business critical mainframes and AS/400 systems, which in turn host databases and Customer Information Control System (CICS) applications that are believed to run in 90 percent of Fortune 500 corporations."

...lets hope they all patch!

Thursday, 21 August 2008

[New Tool] OllySocketTrace

OllySocketTrace is a plugin for OllyDbg to trace the socket operations being performed by a process. It will record all buffers being sent and received. All parameters as well as return values are recorded and the trace is highlighted with a unique color for each socket being traced.

The socket operations currently supported are: WSASocket, WSAAccept, WSAConnect, WSARecv, WSARecvFrom, WSASend, WSASendTo, WSAAsyncSelect, WSAEventSelect, WSACloseEvent, listen, ioctlsocket, connect, bind, accept, socket, closesocket, shutdown, recv, recvfrom, send and sendto.

OllySocketTraceScreenshot1

OllySocketTraceScreenshot2

You can download OllySocketTrace from here:

http://www.harmonysecurity.com/OllySocketTrace.html

Wednesday, 20 August 2008

New Services

We are soon to be offering several new services, including:

Malware Analysis
This service offers detailed malware reports and customised solutions for malware outbreaks.

Vulnerability Discovery
This service offers to discover critical vulnerabilities in your software products.

Exploit Development
This service offers the development of reliable proof of concept exploits for software vulnerabilities.

Please contact us for further information.

Thursday, 5 June 2008

VMware Tools HGFS Local Privilege Escalation Vulnerability

iDefense have published an advisory for a local privilege escalation vulnerability (CVE-2007-5671) in the VMware Tools HGFS driver which was discovered by Stephen Fewer of Harmony Security.

You can read the full iDefense advisory here:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=712

And the VMware advisory here:
http://www.vmware.com/security/advisories/VMSA-2008-0009.html

Wednesday, 28 May 2008

EMC AlphaStor Multiple Vulnerabilities

iDefense have published advisories for multiple vulnerabilities in EMC AlphaStor which were discovered by Stephen Fewer of Harmony Security. You can read the full iDefense advisories here:

EMC AlphaStor Server Agent Multiple Stack Buffer Overflow Vulnerabilities
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=702

EMC AlphaStor Library Manager Arbitrary Command Execution Vulnerability
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=703

Friday, 11 April 2008

EMC DiskXtender Multiple Vulnerabilities

iDefense have published advisories for multiple vulnerabilities in EMC DiskXtender which were discovered by Stephen Fewer of Harmony Security. You can read the full iDefense advisories here:

EMC DiskXtender Authentication Bypass Vulnerability
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=683

EMC DiskXtender File System Manager Buffer Overflow Vulnerability
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=684

EMC DiskXtender MediaStor Format String Vulnerability
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=685

Thursday, 21 February 2008

EMC RepliStor Multiple Heap Overflow Vulnerabilities

iDefense has published an advisory for multiple remote pre-authentication code execution vulnerabilities in the EMC RepliStor software suite which were discovered by Stephen Fewer of Harmony Security.

You can read the full iDefense advisory here:

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=664

Thursday, 10 January 2008

Novell NetWare Client nicm.sys Local Privilege Escalation Vulnerability

iDefense has published an advisory for a vulnerability in the Novell NetWare Client which was discovered by Stephen Fewer of Harmony Security. It is a local privilege escalation vulnerability whereby an unprivileged user can execute malicious code in kernel mode by exploiting an insecure IOCTL in the NCIM device driver.

You can read the full iDefense advisory here:

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=637

Novel have issued a patch available here:

http://download.novell.com/Download?buildid=4FmI89wOmg4~

Motorola netOctopus Agent MSR Write Privilege Escalation Vulnerability

iDefense has published an advisory for a vulnerability in the Motorola netOctopus Agent which was discovered by Stephen Fewer of Harmony Security. It is a local privilege escalation vulnerability whereby an unprivileged user can reliably execute malicious code in ring 0 by hijacking the SYSENTER_EIP_MSR via an improperly exposed interface in the NantSys device driver.

You can read the full iDefense advisory here:

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=636

You can read Motorola's fix for the issue here:
http://www.netopia.com/support/software/technotes/netoctopus/Removing_the_nantsys_Driver.pdf [PDF]

Novell ZENworks Endpoint Security Management Local Privilege Escalation Vulnerability

iDefense has published an advisory for a vulnerability in the Novell ZENworks Endpoint Security Management (ESM) Security Client which was discovered by Stephen Fewer of Harmony Security. It is a local privilege escalation vulnerability whereby an unprivileged user can trivially run executables with SYSTEM privileges.

You can read the full iDefense advisory here:

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=635