lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <7E45577E4E72EC42BB3F8560D57E7551010EF5E595@manexchprd02>
Date: Fri, 21 Mar 2014 13:20:24 +0000
From: NCC Group Research <research@...group.com>
To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: NCC00643 Technical Advisory: Nessus Authenticated Scan Local
 Privilege Escalation

~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
 Vulnerability Summary
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.

 Title             Nessus Authenticated Scan - Local Privilege Escalation
 Release Date      20 March 2014
 Reference         NGS00643
 Discoverer        Neil Jones 
 Vendor            Tenable
 Vendor Reference  RWZ-21387-181
 Systems Affected  Nessus appliance engine version 5.2.1 the plugin set 
 201402092115
Risk              High
 Status            Fixed

~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
 Resolution Timeline
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.

 Discovered        29 January 2014
 Released          29 January 2014
 Reported          18 February 2014
 Fixed             6 March 2014
 Published         20 March 2014

~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
 Vulnerability Description 
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.

 An authenticated Nessus scan of a target machine may result in local 
 privilege escalation on that target machine if scanned with the Malicious 
 Process Detection plugin (Plugin ID 59275). The Malicious Process Detection 
 plugin created a service which ran as SYSTEM however this binary could be 
 modified by a low level user allowing for privilege escalation.

 The main attack vector for this vulnerability would be within large 
 organisations which routinely run authenticated scans for security 
 auditing purposes, once a user gains SYSTEM access on one machine they 
 would be likely to be able to escalate their privileges to that of Domain 
 Administrator by other means. 

~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
 Technical Details
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.

 The vulnerability was caused by the Malicious Process Detection plugin 
 (Plugin ID 59275), this plugin created a service which gathered privileged 
 information from the target system. The plugin created a binary in the 
 System Temp folder which had a static name for example this would be
 "C:\Windows\Temp\tenable_mw_scan_142a90001fb65e0beb1751cc8c63edd0.exe"

 A service was then created to run this binary, the service created was set 
 to automatically start upon boot. As a low level user the binary should be 
 created before the scan, once the scan is in progress the binary is 
 overwritten by the Nessus plugin, once the Nessus plugin overwrites the 
 binary the low level user can once again overwrite the binary the machine 
 can be rebooted by the low level user so the binary is automatically ran 
 upon system boot.

 As the Nessus scan is still in progress upon the machine rebooting, the 
 binary and the service are deleted automatically during the clean-up 
 process of the plugin.

~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
 Fix Information
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.

 The plugin has been updated and the vulnerability can be patched by 
 updating the plugins on your scanner
  
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
 NCC Group
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.

 Research     https://www.nccgroup.com/research
 Twitter      https://www.twitter.com/NCCGroupInfoSec / @NCCGroupInfoSec
 Open Source  https://github.com/nccgroup
 Blog         https://www.nccgroup.com/en/blog/cyber-security/
 SlideShare   http://www.slideshare.net/NCC_Group/


For more information please visit <a href="http://www.mimecast.com">http://www.mimecast.com<br>
This email message has been delivered safely and archived online by Mimecast.
</a>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ