Hello everyone I have a project for a client that requries me to to provide a vulnerability assessment that deals with DCOM Access, Launch and RunAs Permissions. I normally use Nessus as part of my assessment toolkit, but as far as I can tell there are no plug ins to enumerate the assess, launch and runas permission on the DCOM registry keys HKLM\software\classes\appid and all subkeys . I’ve written a VB Script to assist with this, I run it as part of a pre-scan then run it again as part of a post scan and then windiff the files to see if anything has changed. (I’ve add the script to the end of the msg if anyone is interested.) I’ve started working with the smbshell.nbin, which I like and I’ve used. But I was wondering if there is some reason why Nessus does not address assess, launch and runas permission with DCOM as a plugin ? With an incorrect access permissions on the DCOM object, this would allow non-administrators to create DCOM objects and execute code on the local system. If DCOM security settings are inadvertently set to a low level of security, it may be possible for an attacker to execute arbitrary code, possibly under the user context of the console user. In addition, an attacker could change the security on the object to allow for a future attack, such as setting the object to run as Interactive User. The Interactive User runs the application using the security context of the user currently logged on to the computer. If this option is selected and the user is not logged on, then the application fails to start. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context. Has anyone written a plugin that would enumerate the permissions for the HKLM\software\classes\appid and all subkeys? I've been working on converting my vb script to a nasl script when I have the time, and if anyone has any pointers that would help me I could really use them. thanks to everyone in advance --John strComputer = "." '************************************************************************************ 'ENumerates Server Name On Error Resume Next Set objFSO = CreateObject("Scripting.FileSystemObject") Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_ComputerSystem", "WQL", wbemFlagReturnImmediately + wbemFlagForwardOnly) Set objTextFile = objFSO.OpenTextFile ("dcom1.txt", ForAppending, True) For Each objItem in colItems objTextFile.WriteLine("DNSHostName: " & objItem.DNSHostName) Next objTextFile.Close ''**************************************************************************************** 'Enumerates what Operation System and Service Pack on Error Resume Next Set objFSO = CreateObject("Scripting.FileSystemObject") Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") Set colItems = objWMIService.ExecQuery("Select * from Win32_OperatingSystem",,48) Set objTextFile = objFSO.OpenTextFile ("dcom1.txt", ForAppending, True) For Each objItem in colItems objTextFile.WriteLine(objItem.Caption & vbTab & "Service Pack: " & objItem.ServicePackMajorVersion) Next objTextFile.Close '************************************************************************************************ 'Enumerates the DCOM Application ID, Application Name and RunAs configuration On Error Resume Next Set objFSO = CreateObject("Scripting.FileSystemObject") Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") Set colItems = objWMIService.ExecQuery("Select * from Win32_DCOMApplicationSetting",,48) Set objTextFile = objFSO.OpenTextFile ("dcom1.txt", ForAppending, True) For Each objItem in colItems objTextFile.WriteLine(objItem.AppID & vbTab & ObjItem.Description & vbTab & objItem.RunAsUser) Next objTextFile.Close '************************************************************************************************** 'Enumerates DCOM Launch Permissions On Error Resume Next Set objFSO = CreateObject("Scripting.FileSystemObject") Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") Set colItems = objWMIService.ExecQuery("Select * from Win32_DCOMApplicationLaunchAllowedSetting", "WQL",wbemFlagReturnImmediately + wbemFlagForwardOnly) Set objTextFile = objFSO.OpenTextFile ("dcom1.txt", ForAppending, True) For Each objItem in colItems objTextFile.WriteLine(objItem.Element & vbTab & objItem.Setting) Next _______________________________________________ Plugins-writers mailing list Plugins-writers@private http://mail.nessus.org/mailman/listinfo/plugins-writers
This archive was generated by hypermail 2.1.3 : Wed Jan 31 2007 - 10:25:01 PST