RealWorld

Machine Security Assessment

 

Im not sure this will be of huge interest to anyone. But I put a lot of work into this and Im really proud of it- so why not!

Outside of my regular day job I was asked to review a machine for a one time customer some months back and write up a report giving my own opinion on it.

I was given the task on a Wednesday afternoon and had to have a report complete for a presentation that was to be given at lunch time that Friday (and of course Im trying to do this outside my regular job) so time is against me.

Furthermore. Very strictly this was to be a reconnaissance only task. No exploitation (or attempted exploitation) under any circumstance as this particular user would be fairly high in the command chain and can’t afford any downtime. And the user in question isn’t privy to the fact Ive been asked to do this.

 

USER-Machine-01:

 

OS Vulnerabilities

This machine is running: Windows 10 Pro RTM 1507. Updates for this version of Windows are discontinued on June 27th this year (Whilst some branches of this version lost support last year).

 

This machine is missing 136 of its required updates. In particular, 4 of these updates are considered critical by Microsoft.

Out of those 4 critical updates the following 2 really stand out for me:

 

2017-06 Security Update for Adobe Flash Player for x64-based Systems (KB4022730)

Vulnerabilities that this update would patch: CVE-2017-3075, CVE-2017-3076, CVE-2017-3077, CVE-2017-3078, CVE-2017-3079, CVE-2017-3081, CVE-2017-3082, CVE-2017-3083, CVE-2017-3084.

Arbitrary code execution.

 

2017-06 Cumulative Update for Windows 10 Version 1507 for x64-based Systems (KB4022727)

Vulnerabilities that this update would patch: CVE-2017-0193, CVE-2017-0218, CVE-2017-0219, CVE-2017-0282, CVE-2017-0284, CVE-2017-0285, CVE-2017-0283, CVE-2017-0287, CVE-2017-0288, CVE-2017-0289, CVE-2017-8531, CVE-2017-8532, CVE-2017-8533, CVE-2017-0291, CVE-2017-0292, CVE-2017-0294, CVE-2017-0296, CVE-2017-0298, CVE-2017-0299, CVE-2017-0300, CVE-2017-8462, CVE-2017-8485, CVE-2017-8460, CVE-2017-8471, CVE-2017-8473, CVE-2017-8474, CVE-2017-8475, CVE-2017-8476, CVE-2017-8477, CVE-2017-8478, CVE-2017-8479, CVE-2017-8480, CVE-2017-8481, CVE-2017-8482, CVE-2017-8483, CVE-2017-8484, CVE-2017-8489, CVE-2017-8490, CVE-2017-8491, CVE-2017-8492.

 

Arbitrary code execution.

 

 

Software Vulnerabilities

 

Adobe Flash Player 27.0.0.187       CVE-2018-4937

Arbitrary code execution.

 

 

iCloud 6.2.3.17              CVE-2017-7120, CVE-2017-13866, CVE-2017-13864 (plus another dozen or two that I dont have time to work through.)

Arbitrary code execution.

 

 

iTunes 12.7.0.166        CVE-2017-13870, CVE-2017-13856 (and probably another dozen at least that I don’t have time to check.)

Arbitrary code execution.

 

 

KeePass Password Safe 1.32

 

CVE-2016-5119

Arbitrary code execution.

 

CVE-2017-1000066 KeePass version 1.32 inadvertently decrypts database entries into memory, which may result in the disclosure of sensitive information.

CVE-2010-5196 Untrusted search path vulnerability in KeePass Password Safe before 2.13 allows local users to gain privileges via DwmApi.dll file in the current working directory, as demonstrated by a directory that contains a .kdbx file.

 

MySQL Connector/ODBC 3.51

CVE-2017-10277 Allows an attacker to update/edit/delete any data accessible to the connector.

CVE-2017-10203 Allows an attacker to DOS the system.

CVE-2017-3590 Allows an attacker to update/edit/delete any data accessible to the connector.

CVE-2017-3523 Allows an attacker to update/edit/delete any data accessible to the connector.

There are at least 10 more CVEs for this piece of software that allow attacker to update/edit/delete any data accessible to the connector.

 

 

 

 

USER-Machine-02

 

OS Vulnerabilities

This machine is running Microsoft Windows 8.1 Enterprise 6.3.9600 and is the latest build version.

This machine is missing a single (non-critical) update.

 

 

Software Vulnerabilities

 

Adobe Flash Player 18.0.0.209            There are too many CVEs to list for version of Flash. Everything from data leak to arbitrary code execution.

Arbitrary code execution.

 

GPL Ghostscript 9.15                            CVE-2016-7977, CVE-2016-7979

Arbitrary code execution.

 

 

iTunes 12.2.2.25                                  CVE-2018-4146, CVE-2018-4130, CVE-2018-4127 and at least a dozen more.

Arbitrary code execution.

 

 

 

KeePass Password Safe 1.33                 CVE-2016-5119

Arbitrary code execution.

 

 

MySQL Connector/ODBC 3.51

CVE-2017-10277 Allows an attacker to update/edit/delete any data accessible to the connector.

CVE-2017-10203 Allows an attacker to DOS the system.

CVE-2017-3590 Allows an attacker to update/edit/delete any data accessible to the connector.

CVE-2017-3523 Allows an attacker to update/edit/delete any data accessible to the connector.

 

There are at least 10 more CVEs for this piece of software that allow attacker to update/edit/delete any data accessible to the connector.

 

QuickTime 7 7.77.80.95            (possibly the following, but would need further probing to confirm) CVE-2017-2218,  CVE-2015-7117, CVE-2015-7091 there are some other CVEs listed but I feel these would be most likely to work.

                                                              Arbitrary code execution.

 

I suppose if you made it this far, maybe its because you are hoping that I might share some insight into my reconnaisance skills. Lets face it. We both know I didn’t just pull all that info from an nmap scan. Well… your right, there is a little secret. Give me an interview and I’ll let you in on it 😛

Leave a Reply

Your email address will not be published. Required fields are marked *