List Info

Thread: Question
Question
user name
 2007-01-31 12:14:12 
Hello everyone 

I have a project for a client that requries me to to provide
a vulnerability assessment that deals with DCOM Access,
Launch and RunAs Permissions. 

I normally use Nessus as part of my assessment toolkit, but
as far as I can tell there are no plug ins to enumerate the
assess, launch and runas permission on the DCOM registry
keys HKLMsoftwareclassesappid and all subkeys .

I’ve written a VB Script to assist with this, I run it as
part of a pre-scan then run it again as part of a post scan
and then windiff the files to see if anything has changed.
(I’ve add the script to the end of the msg if anyone is
interested.)

I’ve started working with the smbshell.nbin, which I like
and I’ve used.  

But I was wondering if there is some reason why Nessus does
not address assess, launch and runas permission with DCOM as
a plugin ?

With an incorrect access permissions on the DCOM object,
this would allow non-administrators to create DCOM objects
and execute code on the local system.

If DCOM security settings are inadvertently set to a low
level of security, it may be possible for an attacker to
execute arbitrary code, possibly under the user context of
the console user.

In addition, an attacker could change the security on the
object to allow for a future attack, such as setting the
object to run as Interactive User. The Interactive User runs
the application using the security context of the user
currently logged on to the computer. If this option is
selected and the user is not logged on, then the application
fails to start.

DCOM calls are executed under the security context of the
calling user by default. If the RunAs key has been altered,
the DCOM calls can be executed under the user context of the
currently logged in user, or as a third user. If this
ability is not controlled very carefully, it could provide a
network user with the ability to execute arbitrary code
under another user context.
 
 Has anyone written a plugin that would enumerate the
permissions for the HKLMsoftwareclassesappid and all
subkeys?  I've been working on converting my vb script to a
nasl script when I have the time, and if anyone has any
pointers that would help me I could really use them.

thanks to everyone in advance --John



strComputer = "."
'***********************************************************
*************************
'ENumerates Server Name
On Error Resume Next
Set objFSO =
CreateObject("Scripting.FileSystemObject")
Set objWMIService = GetObject("winmgmts:\" &
strComputer & "rootcimv2")
Set colItems = objWMIService.ExecQuery("SELECT * FROM
Win32_ComputerSystem", "WQL",
wbemFlagReturnImmediately + wbemFlagForwardOnly)
Set objTextFile = objFSO.OpenTextFile
("dcom1.txt", ForAppending, True)
For Each objItem in colItems
objTextFile.WriteLine("DNSHostName: " &
objItem.DNSHostName)

Next
objTextFile.Close

''**********************************************************
******************************
'Enumerates what Operation System and Service Pack
on Error Resume Next
Set objFSO =
CreateObject("Scripting.FileSystemObject")
Set objWMIService = GetObject("winmgmts:\" &
strComputer & "rootcimv2")
Set colItems = objWMIService.ExecQuery("Select * from
Win32_OperatingSystem",,48)
Set objTextFile = objFSO.OpenTextFile
("dcom1.txt", ForAppending, True)
For Each objItem in colItems
objTextFile.WriteLine(objItem.Caption & vbTab &
"Service Pack: " &
objItem.ServicePackMajorVersion)
Next
objTextFile.Close
'***********************************************************
*************************************

'Enumerates the DCOM Application ID, Application Name and
RunAs configuration
On Error Resume Next
Set objFSO =
CreateObject("Scripting.FileSystemObject")
Set objWMIService = GetObject("winmgmts:\" &
strComputer & "rootcimv2")
Set colItems = objWMIService.ExecQuery("Select * from
Win32_DCOMApplicationSetting",,48)
Set objTextFile = objFSO.OpenTextFile
("dcom1.txt", ForAppending, True)
For Each objItem in colItems
objTextFile.WriteLine(objItem.AppID & vbTab &
ObjItem.Description & vbTab & objItem.RunAsUser)
Next
objTextFile.Close

'***********************************************************
***************************************
'Enumerates DCOM Launch Permissions
On Error Resume Next
Set objFSO =
CreateObject("Scripting.FileSystemObject")
Set objWMIService = GetObject("winmgmts:\" &
strComputer & "rootcimv2")
Set colItems = objWMIService.ExecQuery("Select * from
Win32_DCOMApplicationLaunchAllowedSetting",
"WQL",wbemFlagReturnImmediately +
wbemFlagForwardOnly)
Set objTextFile = objFSO.OpenTextFile
("dcom1.txt", ForAppending, True)
For Each objItem in colItems
objTextFile.WriteLine(objItem.Element & vbTab &
objItem.Setting)

Next
_______________________________________________
Plugins-writers mailing list
Plugins-writerslist.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers
[1]

about | contact  Other archives ( Real Estate discussion Medical topics )