Friday, 31 October 2008

[New Paper] Reflective Dll Injection

Just released a new paper about Reflective Dll Injection.

Abstract:

Reflective DLL injection is a library injection technique in which the concept of reflective programming is employed to perform the loading of a library from memory into a host process. As such the library is responsible for loading itself by implementing a minimal Portable Executable (PE) file loader.

You can download the paper here:
http://www.harmonysecurity.com/files/HS-P005_ReflectiveDllInjection.pdf

And the PoC code here:
http://www.harmonysecurity.com/files/ReflectiveDllInjection_v1.0.zip

Support for Reflective DLL Injection has also been added to Metasploit in the form of a payload stage and a modified VNC DLL.
http://www.metasploit.com/

Tuesday, 14 October 2008

Microsoft Host Integration Server 2006 Command Execution Vulnerability

iDefense have published an advisory for a critical remote command execution vulnerability (CVE-2008-3466 and MS08-059) in Microsoft's Host Integration Server which was discovered by Stephen Fewer of Harmony Security. The specific versions affected are as follows:

  • Microsoft Host Integration Server 2006 Enterprise Edition (both x86 & x64 based systems)
  • Microsoft Host Integration Server 2006 (both x86 & x64 based systems)
  • Microsoft Host Integration Server 2004 Service Pack 1, when used with:
    • Microsoft Host Integration Server 2004 Enterprise Edition
    • Microsoft Host Integration Server 2004 Standard Edition
  • Microsoft Host Integration Server 2000 SP2, when used with:
    • Microsoft Host Integration Server 2000 Standard Edition

You can read the full iDefense advisory here:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=745

And the Microsoft advisory here:
http://www.microsoft.com/technet/security/bulletin/ms08-059.mspx

Update: SecurityFocus has a news item mentioning this vulnerability which you can read here:
http://www.securityfocus.com/brief/838

It contains a nice quote from Sheldon Malm of nCircle about the vulnerability and software in question. As quoted from the article:

"Host Integration Server is the de facto gateway linking Windows hosts to business critical mainframes and AS/400 systems, which in turn host databases and Customer Information Control System (CICS) applications that are believed to run in 90 percent of Fortune 500 corporations."

...lets hope they all patch!