exploit the possibilities

outpostPwn.txt

outpostPwn.txt
Posted Jul 24, 2006
Authored by H. Wiedemann

All current available Outpost Firewall versions suffer from severe vulnerabilities that allow any local user to gain access to the LocalSystem account.

tags | exploit, local, vulnerability
MD5 | 4e95f622d248c4d3659dba20ec386004

outpostPwn.txt

Change Mirror Download
Hi,

all current available "Outpost Firewall" versions do have severe
vulnerabilities, every local user is able to run programs under the very
high privileged LocalSystem account.

Steps to reproduce:

1.) create an empty text file (e.g. "empty.txt")
2.) create a batch file which will open a command shell.
sth. like:
cmd.exe
3.) open the Outpost Firewall GUI
4.) call one of the open or save file dialogs
e.g. "File - Load Configuration"
change the file type to "All Files *.*"
5.) drag the "empty.txt" and drop it over the created batch file
6.) a command shell opens running under the LocalSystem account
(you can check this with "whoami.exe" from the windows resource kit
tools)


There're of course a lot other drag&drop possibilites ... you could e.g.
drop the text file over "notepad.exe" which will open a notepad with
system privileges.

Even if Agnitum disables the Drag&Drop functionality: the open/save
dialog will always be able to read and write files with the rights of
the LocalSystem account. Thus every user could severely damage the system.


This vulnerability is by design, there're dozens of other possibilities
to gain system privileges with Outpost. The problem is that the GUI is
part of the windows service and is running with SYSTEM privileges. Even
MS says that the so called "Interactive Services" shouldn't be used -->
MSDN Library, topic "Interactive Services" - "Security Considerations
for Interactive Services".


--

H. WIEDEMANN

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

April 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    60 Files
  • 2
    Apr 2nd
    20 Files
  • 3
    Apr 3rd
    10 Files
  • 4
    Apr 4th
    0 Files
  • 5
    Apr 5th
    0 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    0 Files
  • 9
    Apr 9th
    0 Files
  • 10
    Apr 10th
    0 Files
  • 11
    Apr 11th
    0 Files
  • 12
    Apr 12th
    0 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close