Hello everyone
I have a project for a client that requries me to to provide a vulnerability
assessment that deals with DCOM Access, Launch and RunAs Permissions.
I normally use Nessus as part of my assessment toolkit, but as far as I can
tell there are no plug ins to enumerate the assess, launch and runas permission
on the DCOM registry keys HKLM\software\classes\appid and all subkeys .
Ive written a VB Script to assist with this, I run it as part of a pre-scan
then run it again as part of a post scan and then windiff the files to see if
anything has changed. (Ive add the script to the end of the msg if anyone is
interested.)
Ive started working with the smbshell.nbin, which I like and Ive used.
But I was wondering if there is some reason why Nessus does not address assess,
launch and runas permission with DCOM as a plugin ?
With an incorrect access permissions on the DCOM object, this would allow
non-administrators to create DCOM objects and execute code on the local system.
If DCOM security settings are inadvertently set to a low level of security, it
may be possible for an attacker to execute arbitrary code, possibly under the
user context of the console user.
In addition, an attacker could change the security on the object to allow for a
future attack, such as setting the object to run as Interactive User. The
Interactive User runs the application using the security context of the user
currently logged on to the computer. If this option is selected and the user is
not logged on, then the application fails to start.
DCOM calls are executed under the security context of the calling user by
default. If the RunAs key has been altered, the DCOM calls can be executed
under the user context of the currently logged in user, or as a third user. If
this ability is not controlled very carefully, it could provide a network user
with the ability to execute arbitrary code under another user context.
Has anyone written a plugin that would enumerate the permissions for the
HKLM\software\classes\appid and all subkeys? I've been working on converting
my vb script to a nasl script when I have the time, and if anyone has any
pointers that would help me I could really use them.
thanks to everyone in advance --John
strComputer = "."
'************************************************************************************
'ENumerates Server Name
On Error Resume Next
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_ComputerSystem",
"WQL", wbemFlagReturnImmediately + wbemFlagForwardOnly)
Set objTextFile = objFSO.OpenTextFile ("dcom1.txt", ForAppending, True)
For Each objItem in colItems
objTextFile.WriteLine("DNSHostName: " & objItem.DNSHostName)
Next
objTextFile.Close
''****************************************************************************************
'Enumerates what Operation System and Service Pack
on Error Resume Next
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from
Win32_OperatingSystem",,48)
Set objTextFile = objFSO.OpenTextFile ("dcom1.txt", ForAppending, True)
For Each objItem in colItems
objTextFile.WriteLine(objItem.Caption & vbTab & "Service Pack: " &
objItem.ServicePackMajorVersion)
Next
objTextFile.Close
'************************************************************************************************
'Enumerates the DCOM Application ID, Application Name and RunAs configuration
On Error Resume Next
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from
Win32_DCOMApplicationSetting",,48)
Set objTextFile = objFSO.OpenTextFile ("dcom1.txt", ForAppending, True)
For Each objItem in colItems
objTextFile.WriteLine(objItem.AppID & vbTab & ObjItem.Description & vbTab &
objItem.RunAsUser)
Next
objTextFile.Close
'**************************************************************************************************
'Enumerates DCOM Launch Permissions
On Error Resume Next
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from
Win32_DCOMApplicationLaunchAllowedSetting", "WQL",wbemFlagReturnImmediately +
wbemFlagForwardOnly)
Set objTextFile = objFSO.OpenTextFile ("dcom1.txt", ForAppending, True)
For Each objItem in colItems
objTextFile.WriteLine(objItem.Element & vbTab & objItem.Setting)
Next
_______________________________________________
Nessus mailing list
[email protected]
http://mail.nessus.org/mailman/listinfo/nessus
