[FD] [CORE-2015-0005] - Windows Pass-Through Authentication Methods Improper Validation
Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ Windows Pass-Through Authentication Methods Improper Validation 1. *Advisory Information* Title: Windows Pass-Through Authentication Methods Improper Validation Advisory ID: CORE-2015-0005 Advisory URL: http://www.coresecurity.com/advisories/windows-pass-through-authentication-methods-improper-validation Date published: 2015-03-10 Date of last update: 2015-03-10 Vendors contacted: Microsoft Release mode: Coordinated release 2. *Vulnerability Information* Class: Permissions, Privileges, and Access Controls [CWE-264], Improper Authentication [CWE-287] Impact: Security bypass Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2015-0005 3. *Vulnerability Description* The Microsoft [1] Netlogon Remote Protocol is a remote procedure call (RPC) interface that is used, among other things, for user and machine authentication on domain-based networks. In a scenario where a client machine connects to a domain-joined server, a pass-through authentication [2] must be performed in order for the server to verify the client's Credentials with the domain controller. This logon request must be delivered to the domain controller over a secure channel. This secure channel is achieved by encrypting the server to DC communication using a shared secret, commonly known as a server's machine account password. On successful authentication, the domain controller returns the UserSessionKey back to the server. This key is used for cryptographic operations on a session. Examples of the use of this key are generating the keys needed to signing SMB packets, and the keys needed for encryption/decryption of SMB sessions. Improper validation between the account used to secure the communication channel and the logon request data being sent to the domain controller allows third parties to obtain the UserSessionKey for communications that were not meant for them. At minimum this allows an attacker to: 1) Perform SMB Relay attacks on domain environments where SMB Signing is enforced (workaround exists). 2) Decrypt SMB3 sniffed communications (PoC not provided). Other venues of attack should be researched. 4. *Vulnerable Packages* . Windows Server 2003 Service Pack 2 . Windows Server 2003 x64 Edition Service Pack 2 . Windows Server 2003 with SP2 for Itanium-based Systems . Windows Server 2008 for 32-bit Systems with Service Pack 2 . Windows Server 2008 for x64-based Systems with Service Pack 2 . Windows Server 2008 for Itanium-based Systems Service Pack 2 . Windows Server 2008 R2 for x64-based Systems Service Pack 1 . Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 . Windows Server 2012 . Windows Server 2012 R2 . Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) . Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) . Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) . Windows Server 2012 (Server Core installation) . Windows Server 2012 R2 (Server Core installation) Versions or editions that are not listed are either past their support life cycle or are not affected. 5. *Vendor Information, Solutions and Workarounds* Based on Core Security's analysis, SPN validation could be a good countermeasure, but it depends on the type of MiTM mounted. It is worth mentioning, this attack only applies on a domain environment. Standalone servers are not prone to this type of attack if SMB signing is enabled. Microsoft posted the following Security Bulletin: [21] 6. *Credits* This vulnerability was discovered and researched by Alberto Solino from the Core Engeneering Team. The publication of this advisory was coordinated by Joaquín Rodríguez Varela from the Core Advisories Team. 7. *Technical Description / Proof of Concept Code* Pass-Through Authentication allows a domain-joined server machine to authenticate a domain user by forwarding the authentication material to the domain controller aiming at receiving a confirmation of the validity of those credentials, among with several information about the account trying to log in that allows the server machine to establish a session and serve resources to that user. In order to send and receive this information (through the NETLOGON [3] protocol), a secure channel must be established between the domain-joined server and the domain controller. This secure channel is built on top of a shared secret between the server and the DC
[FD] WordPress Daily Edition Theme v1.6.2 Information Leakage Security Vulnerabilities
*WordPress Daily Edition Theme v1.6.2 Information Leakage Security Vulnerabilities* Exploit Title: WordPress Daily Edition Theme /thumb.php src Parameters Information Leakage Security Vulnerabilities Product: WordPress Daily Edition Theme Vendor: WooThemes Vulnerable Versions: v1.6.* v1.5.* v1.4.* v1.3.* v1.2.* v1.1.* v.1.0.* Tested Version: v1.6.2 Advisory Publication: March 10, 2015 Latest Update: March 10, 2015 Vulnerability Type: Information Exposure [CWE-200] CVE Reference: * Impact CVSS Severity (version 2.0): CVSS v2 Base Score: 5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:N) (legend) Impact Subscore: 2.9 Exploitability Subscore: 10.0 Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU), Singapore] *Advisory Details:* *(1) Vendor & Product Description:* *Vendor:* WooThemes *Product & Vulnerable Versions:* WordPress Daily Edition Theme version 1.6.7 version 1.6.6 version 1.6.5 version 1.6.4 version 1.6.3 version 1.6.2 version 1.6.1 version 1.6 version 1.5 version 1.4.11 version 1.4.10 version 1.4.9 version 1.4.8 version 1.4.7 version 1.4.6 version 1.4.5 version 1.4.4 version 1.4.3 version 1.4.2 version 1.4.1 version 1.4.0 version 1.3.2 version 1.3.1 version 1.3 version 1.2.1 version 1.2 version 1.1.2 version 1.1.1 version 1.1 version 1.0.12 version 1.0.11 version 1.0.10 version 1.0.9 version 1.0.8 version 1.0.7 version 1.0.6 version 1.0.5 version 1.0.4 version 1.0.3 version 1.0.2 version 1.0.1 version 1.0 *Vendor URL & buy:* WordPress Daily Edition Theme can be got from here, http://www.woothemes.com/products/daily-edition/ http://dzv365zjfbd8v.cloudfront.net/changelogs/dailyedition/changelog.txt *Product Introduction:* "Daily Edition WordPress Theme developed by wootheme team and Daily Edition is a clean, spacious newspaper/magazine theme designed by Liam McKay. With loads of home page modules to enable/disable and a unique java script-based featured scroller and video player the theme oozes sophistication" "The Daily Edition theme offers users many options, controlled from the widgets area and the theme options page – it makes both the themes appearance and functions flexible. From The Daily Edition 3 option pages you can for example add your Twitter and Google analytics code, some custom CSS and footer content – and in the widgets area you find a practical ads management." "Unique Features These are some of the more unique features that you will find within the theme: A neat javascript home page featured slider, with thumbnail previews of previous/next slides on hover over the dots. A “talking points” home page that can display posts according to tags, in order of most commented to least commented. A great way to highlight posts gathering dust in the archives. A customizable home page layout with options to specify how many full width blog posts and how many “box” posts you would like to display. A javascript home page video player with thumbnail hover effect. 16 delicious colour schemes to choose from!" *(2) Vulnerability Details:* WordPress Daily Edition Theme has a web application security bug problem. It can be exploited by information leakage attacks - Full Path Disclosure (FPD). This may allow a remote attacker to disclose the software's installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks. *(2.1) *The code flaw occurs at "thumb.php?" page with "src" parameters. *References:* http://tetraph.com/security/information-leakage-vulnerability/wordpress-daily-edition-theme-v1-6-2-information-leakage-security-vulnerabilities/ http://securityrelated.blogspot.com/2015/03/wordpress-daily-edition-theme-v162_10.html http://www.inzeed.com/kaleidoscope/computer-web-security/wordpress-daily-edition-theme-v1-6-2-information-leakage-security-vulnerabilities/ http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/wordpress-daily-edition-theme-v1-6-2-information-leakage-security-vulnerabilities/ https://webtechwire.wordpress.com/2015/03/10/wordpress-daily-edition-theme-v1-6-2-information-leakage-security-vulnerabilities/ http://static-173-79-223-25.washdc.fios.verizon.net/?a=139222176300014&r=1&w=2 https://cxsecurity.com/issue/WLB-2015020093 -- Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. http://www.tetraph.com/wangjing/ https://twitter.com/tetraphibious ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/