Patching Windows XP SP2 for the Shortcut LNK Vulnerability MS10-046

So we all know that on the 13th July 2010 Microsoft support for Windows 2000 Service Pack 4, and Windows XP Service Pack 2 came to an end.

Then on the 16th July they release a Microsoft Security Advisory 2286198 regarding a critical vulnerability that could allow remote code execution. This was then updated to  Security Bulletin and out of band patch MS10-046.

The vulnerability could allow remote code execution if the icon of a specially crafted shortcut is displayed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

So Microsoft then release the patch for XP SP3 and above, which is fine and great. However many organisations still have XP SP2, and this is a pretty good vuln, so you really would want to patch it. So obviously the best thing to do is pull your finger out and get upto XP SP3, as these sort of issues will continue and you need to be on a supported platform. Easier said than done for some companies, but we really should put the effort in.

However….. I was speaking to a friend who will remain unamed and he informed me that his company have been issued with a patch for XP SP2 to resolve the shortcut LNK vulnerability (MS10-046). So we start talking to our Microsoft reps, and apparently they is no such thing, etc etc. So I speak to my friend some more and get the filename and hash for the file. Then speaking to Microsoft some more, still denial, but they they say, oh well there is something like that, but its for embedded systems only.  Security Update for Windows XP Embedded (KB2286198)

So I think to myself, well I will check with my friend, and he confirms the hash’s are the same, and its the same file. I look at the properties and it says its ok for XP SP2, nothing about being embedded. So I grab a spare XP SP2 machine and install it. All verifies ok, and installs. Reboot. No problem. So this should work right???

Time to test.

Below is a simple quick and dirty video of an XP SP2 VM (This was the home edition I had handy, but have also checked on professional edition with the same results) where I use the Metasploit MS10-046 exploit to get a shell, I then patch the the KB2286198 patch mention above, and guess what no more shell. I am not sure why Microsoft are not sharing this info openly, but I guess at the same time it is there to test and download. Perhaps they don’t to set an out of support patching, bite them in the arse type situation.

Apologies the video is abit blurry, but this was a quick job, I recommend going HD on it for a little more clarity.

So basically this patch seems to fix the vulnerability in Windows XP SP2. So what now?? I recommend people carry out there own testing, and then if appropriate look to apply this patch as an interim measure. However it is still important to update your systems to XP Service Pack 3 or to Windows 7, as this issues will continue, and you may not be so lucky next time.

I have not seen this information anywhere else, so please spread the word and lets get these machines fixed.

Chris Nickerson – Red and Tiger Team Testing – BruCon 2009

This is the third and final of my 3 videos recorded at BruCon 2009. Sorry its taken so long, I had some upload issues due to size, so this needs to be in two parts.
This is the excellent presentation from Chris Nickerson on Red and Tiger Team Testing.

Abstract: The world of Information Security is changing. Budgets are tighter, attacks are more sophisticated, and the corporate network is no longer the low hanging fruit. That leaves web-enabled applications as the vector-du-jour, but that well is quickly drying up for organized crime as well. As they creep up the OSI Model looking for easier ways to steal your corporate assets, they are quickly making their way up the stack to the unspoken 8th layer, the end user. So what is the next step in the never-ending escalation of this cyber war?

To find out, we must do as Sun Tzu taught. “Think like our enemy!” That is, after all, the primary tenet of penetration testing AKA ethical hacking, isn’t it? After years of hardening physical systems, networks, OSs, and applications, we have now come full circle to a new dawn of attack. People are now the target of the advanced hacker, and the cross-hairs are focused squarely on their foreheads… literally. It is only a matter of time before corporations fall from the raw effectiveness and lack of preparedness for this all too common attack.

Also to learn more about Chris and what hes up to check out his website and Exotic Liability.

Chris Nickerson – Red and Tiger Team Testing Part 1 – BruCon 2009 from Dale Pearson on Vimeo.

Chris Nickerson – Red and Tiger Team Testing Part 2 – BruCon 2009 from Dale Pearson on Vimeo.

Presentation Slides – Click Here

:: Please do not copy this video without written permission of Security Active or Chris Nickerson | Linking to is fine ::

Chris Gates – Open Source Information Gathering – BruCon 2009

This is the second of my 3 videos recorded at BruCon 2009.
This is the excellent presentation from Chris Gates on Open Source Information Gathering.

Abstract: This talk is about using the current open source tools to generate a detailed target footprint for a blackbox penetration test. Suppose for our penetration test we are given nothing but a domain name. Client-side and Social Engineering attacks are in scope, but we’re on our own to come up with all the information needed to execute those attacks (just like a real attacker would be required to do). The days of running Sam Spade or simply querying a whois server for the totality of your information gathering are dead. We need to leverage all the information freely available to us on the net to build both our network attack list as well as our client attack list. This information includes network ranges, hidden company affiliations, hostnames, dns information, public documents with their metadata and email addresses for client side attacks.

Also to learn more about Chris and what hes up to check out his website.

Chris Gates – Open Source Information Gathering – BruCon 2009 from Dale Pearson on Vimeo.

Presentation Slides – Click Here

:: Please do not copy this video without written permission of Security Active or Chris Gates | Linking to is fine ::

Jayson E. Street – Dispelling the myths and discussing the facts of Global Cyber-Warfare – BruCon 2009

This is the first of my 3 videos recorded at BruCon 2009.
This is the excellent presentation from Jayson E. Street on Dispelling the myths and discussing the facts of Global Cyber-Warefare.

Abstract: There is a war being raged right now. It is being fought in your living room, in your dorm room even in your board room. The weapons are your network and computers and even though it is bytes not bullets whizzing by that does not make the casualties less real. We will follow the time line of Informational Warfare and its impact today. We will go deeper past the media hype and common misconceptions to the true facts of whats happening on the Internet landscape. You will learn how the war is fought and who is fighting and who is waiting on the sidelines for the dust to settle before they attack.

Jayson has an excellent book coming out called “Dissecting the Hack: The Forbidden Network

Also to learn more about Jayson and where he is talking check out his website.

Jayson E. Street – Dispelling the myths and discussing the facts of Global Cyber-Warfare – BruCon 2009 from Dale Pearson on Vimeo.

Presentation Slides – Click Here

:: Please do not copy this video without written permission of Security Active or Jayson E. Street | Linking to is fine ::

Kon Boot. Modify the kernal and walk right in the front door.

Thanks to Patrick at Risky.biz a few weeks ago I heard about Kon Boot.

More info on Kon Boot is below, but in simplistic terms you can boot of the ISO via floppy, cd, or usb and Kon Boot will analyse the Linux or Windows kernel during the boot process. You can then simply enter with a “blank” password at the normal login process and your on as admin. Obviously this will not give you the password, it is simply a bypass mechanism, but I can certainly see how this will be handy, and could be a handly alternative to something like Ophcrack.

Obviously this will raise some concerns, so using techniques such as using a bios password, hard disk password, total drive encryption will add some hurdles in allowing this type of software to be used. That said its a great tool, and well worth experimenting with.

About Kon-Boot

Kon-Boot is an prototype piece of software which allows to change contents of a linux kernel (and now Windows kernel also!!!) on the fly (while booting). In the current compilation state it allows to log into a linux system as ‘root’ user without typing the correct password or to elevate privileges from current user to root. For Windows systems it allows to enter any password protected profile without any knowledge of the password. It was acctually started as silly project of mine, which was born from my never-ending memory problems :) Secondly it was mainly created for Ubuntu, later i have made few add-ons to cover some other linux distributions. Finally, please consider this is my first linux project so far :) Entire Kon-Boot was written in pure x86 assembly, using old grandpa-geezer TASM 4.0.

Updated – 30-6-2009. KonBoot can now Reset the Windows and Linux passwords:

No special usage instructions are required for Windows users, just boot from Kon-Boot CD/Floppy, select your profile and put any password you want. You lost your password? Now it doesnt matter at all.

Floppy Image – FD0-konboot-v1.1-2in1.zip
CD ISO Image – CD-konboot-v1.1-2in1.zip

Or read more here.