Microsoft Updates

ID: MS10-030
Title: Vulnerability in Outlook Express and Windows Mail Could Allow Remote Code Execution
Microsoft Severity: Critical

Summary: A vulnerability exists in Outlook Express and Window Mail caused by an insufficient validation of network data before using the data to calculate the necessary size of a buffer. An attacker can exploit the vulnerability by tricking a user to initiate a connection to a malicious POP or IMAP server.

Praetorian’s Recommendation: The critical severity is due to the potential for remote code execution, however their are a few key points here to mitigate the severity. First, the mail clients affected are Outlook Express and Windows Mail, Office Outlook is not affected. Second, the client must initiate a connection to a malicious server. In an corporate or enterprise environment, the egress points should restrict outbound POP and IMAP, or the desktop environment should restrict the server settings from being modified.

ID: MS10-031
Title: Vulnerability in Microsoft Visual Basic for Applications Could Allow Remote Code Execution
Microsoft Severity: Critical

Summary: A vulnerability exists in Visual Basic for applications which can lead to remote code execution. An attacker can create a malicious Office file (Word, Excel) which exploits the VBA vulnerability.

Praetorian’s Recommendation: A user would need to open a malicious file to be expoited, therefore, continued emphasis on user training on handling email attachments and web content is necessary. Prepare this update for your next MS Office patch cycle.

Related Posts:

• iPhone 4 Ordering and Session Switching
• March’s Patch Tuesday
• Press F1 for Help, pwned.
• First Patch Tuesday of 2010
• Regular or Decaf? Tool launched to combat COFEE

It is a common task for a computer forensics investigator to boot a machine using boot-able media in the form of DVD or USB and there are countless options available. This tutorial is not intended to replace your favorite Helix CD or preferred method, but you may find this analysis interesting if you are a Windows expert performing a forensics analysis.

Windows PE (Pre-installation Environment) is a minimal Win32 based operating system, typically used for automating deployments by booting into PE via local or PXE boot methods and then imaging or running installations of various operating systems. Version 3.0 of PE included in the latest Windows Automated Installation Kit (AIK) is based on the Windows 7 kernel.

Getting Started

To get started, you need the AIK which can be downloaded from the Microsoft web site. After the installation, you will need to begin working on creating and customizing a WinPE image for your forensics boot disc/drive.

Make WinPE into WinFE

If you used WinPE as is and booted it up, it would mount available disks and may lead you in the wrong direction in terms of preserving evidence by changing the state of the drives. WinFE, which stands for Windows Forensics Environment, is based on a document written by Troy Larson, a Forensics Specialist at Microsoft. When this document was written, it was geared toward WinPE 2.1, so there are a few differences in some of the steps I will document in this post, which is intended for version 3.0.

The point of WinFE is that the PE environment boots without mounting physical disks. You can then use imaging tools to capture the disk or mount it in read-only mode to run some tools against the target OS immediately without modification to data in the environment, which in this case could be evidence.

Let’s get to it

CopyPE Command

Begin by launching the Deployment Tools Command Prompt (as an administrator). In the following examples, I am using c:\temp\winFE as the path where my PE image is processed, built, etc. The first step is to generate the basic structure and .wim file:

copype.cmd x86 c:\temp\winFE

This command will create the Windows PE customization working directory. The next step is to mount the default image file so that you can then make some necessary changes: including changing the registry settings to ensure disks are not mounted at bootup and to add any tools or software you need. AIK Version 3.0 includes dism.exe, which replaces peimg.exe, and can be used to mount and unmount images like imagex.exe:

Dism /Mount-Wim /WimFile:c:\temp\winFE\winpe.wim /index:1 /MountDir:c:\temp\winFE\mount

Mounting Image

This command mounts the PE image in the c:\temp\winfe\mount directory. If you navigate there, you’ll see a Windows directory which is the instance of PE that will boot when you finish the process. We need to make some registry changes to the PE registry to prevent mounting disks on start up.

• Open up the registry editor, highlight HKEY_LOCAL_MACHINE and click on File, Load Hive.
• Browse to the mounted PE image and in the Windows\System32\Config directory, choose the file SYSTEM (no extension).
• Choose a friendly name such as PE-System.

Now under HKEY_LOCAL_MACHINE there will be another hive called PE-System. Make the following changes in this hive:

• Add NoAutoMount key to \ControlSet001\Services\MountMgr\ with a DWORD value 1
• Add SanPolicy key to \ControlSet001\Services\partmgr\Parameters with a DWORD value 3

Unload the hive by selecting it and clicking on File, Unload Hive.

Branding

Now with our registry changes made, we can make any additional customizations prior to closing up the image. You can “brand” your forensics boot with custom wallpaper by adding winpe.bmp to the mount\Windows\System32 directory.

Required Tools

With the image mounted, anything you add to c:\temp\winFE\mount (or if you modified it, the directory you used for the mount) will be a part of the image and boot with your PE boot. For example, I like to create a Tools directory under mount, and in there place tools such as FTK Imager Lite, dd, and netcat. You can of course add any tools of your choice.

If you are familiar with Regripper, this would be a good place to have it as you can get some information from the registry before starting any imaging process. You can add a portable version of Perl, such as Strawberry Perl to the tools directory, and add the Regripper tools. I’ll show Regripper in an example later when booting WinFE.

For tools that require a CYGWIN environment, you can add use this portable version of CYGWIN and have this environment available in PE.

Custom Scripts

Being that this is a Windows environment, you can write some VBS/WMI scripts to gather some information as well. Since WMI is not added by default to the base WinPE image, you have to add this package:

dism.exe /image:c:\temp\winFE\mount /add-package
/packagepath:"c:\Program Files\Windows AIK\Tools\PETools\x86\winpe-wmi.cab"

Adding WMI Package

I also added hta and scripting support:

dism.exe /image:c:\temp\winFE\mount /add-package
/packagepath:"c:\Program Files\Windows AIK\Tools\PETools\x86\winpe-hta.cab"
/packagepath:"c:\Program Files\Windows AIK\Tools\PETools\x86\winpe-scripting.cab"

Add Scripting and HTA packages

Here are two examples of some WMI queries you can use in your forensics boot:

• BIOS.vbs – Retrieves information about the system BIOS.
• disk.vbs – Retrieves information about disks.

Powershell?

A major issue I have with WinPE is Microsoft’s failure to provide a supported dotNet option. This removes any possibility of using powershell or creating custom applications with VB.Net. This leaves us with vbs/wmi/VB6 until dotNet support is available.

Finalize the Image

Once the registry changes are made and you’ve added all your tools and software into the mounted directory, you write and close the image:

Unmount the Image

Dism /Unmount-Wim /MountDir:C:\winpe_x86\mount\ /Commit

Note that this isn’t final, you can always mount the image again, make changes, add new analysis software, etc. using the same steps above, then commit the changes and create a new ISO file.

Copy the resulting winpe.wim file (c:\temp\winfe) into ISO\Sources\boot.wim:

copy c:\temp\winfe\winpe.wim c:\temp\winfe\iso\sources\boot.wim /Y

Generate the ISO

With our image ready, it’s time to generate the ISO. First, we don’t want the usual “Hit any key to boot from CD message” as we don’t want to risk booting from the local disks. To eliminate this message, delete the file bootfix.bin from the ISO\boot directory (c:\temp\winFE\ISO\boot).

oscdimg -n -bc:\temp\winFE\etfsboot.com c:\temp\winFE\ISO c:\temp\winFE\forensics-boot.iso

This ISO file can now be burned to CD/DVD or used in a VM environment to test it out. If you intend to use a USB drive, you can prepare it by doing the following:

• In a command prompt, run diskpart
  • select disk # (the # should refer to the USB disk, use “list disk” to determine)
  • clean
  • create partition primary
  • select partition 1
  • active
  • format fs=fat32
  • assign
• Then, copy the contents of the ISO directory to the USB disk
  • xcopy c:\temp\winFE\iso\*.* /s /e /f e:\ (change e: to reflect the drive of your USB key)

Let’s Boot

Booting WinFE

Take your WinFE boot-ready device and boot a workstation, VM, or machine of your choice. I had a Windows XP VMWare instance which was my target device to investigate. I configured VMWare to use the ISO for the CD-ROM device and rebooted it.

At first glance, it will look just like Windows 7 booting. Remember, WinPE 3.0 is based on the Windows 7 kernel. When booted, your custom wallpaper configured earlier in the post will display with a command prompt and you will be in the \Windows\System32 directory. This directory is part of the PE operating system, not the target OS which we will analyze. Change to the root directory and will you will see any directories created (such as Tools) when we customized the PE.

Checking drives in Diskpart

We can double check that the registry key worked and did not mount our target drive. Run diskpart, then type “list vol”. You will see a Volume which is Offline and has no drive letter, perhaps more than one. These are drives we may want to mount read-only and analyze. My VM has a single 8GB drive which is Volume 1, so that is my target.

Set your disk to Read-only

Let’s get this mounted in read-only mode so we can poke around and get some preliminary information prior to imaging. In diskpart, select the target volume (select vol), then set it to readonly (att vol set readonly). Now we can double check with the “detail vol” command where ‘Read-only’ should specify ‘Yes’. We can mount this by assigning a drive letter (let’s assign letter=F). The F: drive is not available in read-only mode, preserving the evidence but giving access to the data that can be beneficial. In testing this process, try to write to the mounted drive (see screenshot for example). The message will come back “The media is write protected” if everything is set up properly.

Analyze This

Depending on how you customized your WinFE image, and what tools you added, you have many options to gather some information that can be useful prior to the potential time consuming imaging process. I mentioned RegRipper before, this tool can be used to get valuable information from the registry of our target. You could use other varieed tools to gather initial data or go straight to imaging software such as FTK Imager Lite. Here are some screenshots of the various tools running in WinFE:

RegRipper in WinPE w/ Strawberry Perl

FTK Imager Lite

CygWin in WinFE

VolumeDump from George M. Garner Jr's FAU

Finally

Ultimately, this was an exercise in reviewing ways that WinPE can be used for forensic purposes. It is another option to be aware of, and for those who are more apt to a Microsoft environment this may be your preferred boot method. Hopefully, Microsoft will create a dotNet cab file that can be added as a package to WinPE, as this would create further options for creating Win32 dotNet programs to run within the WinFE environment and opening up Powershell for scripting within WinPE.

UPDATES

16 April 2010 – Brett Shavers shared a link with us that includes a great instructional PDF and even a batch file to create the WinFE ISO for you.

Related Posts:

• Reactivating DECAF in Two Minutes
• Forensics: Beverages Aside, A Look at Incident Response Tools
• Regular or Decaf? Tool launched to combat COFEE
• Taxonomy of Forensics Geeks
• More COFEE Please, on Second Thought…

Related Posts:

• Microsoft Posts Advanced Notification for Out of Band Patch
• SMB Bug won’t be patched in January
• Taxonomy of Forensics Geeks
• What DNS is not
• Replace watch.swf with warp.swf on YouTube

Today is patch Tuesday for March 2010, and Microsoft has released two security bulletins for this round of updates, neither of which are deemed critical. The second bulletin addresses seven different vulnerabilities across various versions of Microsoft Office Excel.

ID: MS10-016
Title: Vulnerabilities in in Windows Movie Maker Could Allow Remote Code Execution
Microsoft Severity: Important

Summary: There is a buffer overflow in the Windows Movie Maker and MS Producer 2003 which can lead to code execution. Movie Maker 2.1 is included with Windows XP SP2 and SP3, and Movie Maker 6.0 is included with Vista. Movie Maker 2.6 is an optional download for Vista and Windows 7.

Praetorian’s Recommendation: This is deemed important instead of critical due to the user having to run content which exploits the vulnerability. A user would have to be tricked into opening a Movie Maker project file (mswmm) to be exploited. This can be updated in your next patch cycle, and is not considered urgent.

ID: MS10-017
Title: Vulnerability in Microsoft Office Excel Could Allow Remote Code Execution
Microsoft Severity: Important

Summary: This update addresses seven different vulnerabilities related to Microsoft Office Excel. Each vulnerability may affect one or more of the following versions: Office Excel 2003 SP3, Office Excel 2003 SP3, Office Excel 2007 SP1 and SP2, Office 2004 for Mac, Office 2008 for Mac, Open XML File Format Converter for Mac, Office Excel Viewer SP1 and SP2, Office Compatibility Pack for Word, Excel, and Powerpoint 2007 File Formats SP1 and SP2, and Office SharePoint Server 2007 SP1 and SP2.

Praetorian’s Recommendation: Although the same requirement exists as MS10-016 for users to open malicious files, Excel formats are more recognizable and phishing and social engineering techniques can be more successful with a known or common file format. This can be updated in your next patch cycle, but should warrant more attention than MS10-017.

Related Posts:

• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• Press F1 for Help, pwned.
• February’s Patch Tuesday
• Using Group Policy to Disable JavaScript in Adobe PDF Files

Microsoft published security advisory 981169 yesterday in response to the zero day vulnerability reported a few days prior. The vulnerability is in the help system and can be triggered by luring an Internet Explorer user into pressing the F1 key. Windows 2000, Windows XP SP2 & SP3, and Windows 2003 SP2 with Internet Explorer 7 and Internet Explorer 8 are all affected.

Credit to Maurycy Prodeus for publishing the initial details of the vulnerability.

Details

Using the MsgBox VBScript function in an html file, an attacker can create a dialog box prompting the user to hit F1, something that is likely not difficult to do with a message such as “Internet Explorer encountered an error, press F1 to continue”. The MsgBox function is important as its fourth argument specifies a helpfile parameter, basically which hlp or chm file to launch when the user asks for help via F1.

I created a simple help file with the word “Test” using the Microsoft Help Workshop version 4.03. In addition to this, I added the macro to launch a command prompt (cmd.exe). When I double click this file in Windows XP SP3, I get my test helpfile and the command prompt launches as well:

Cmd.exe launched with my Help file.

So we now have a .hlp file which executes code. As mentioned before, the MsgBox function has a parameter to specify a help file to launch when the user hits F1. Here is where I come back to a recurring issue of SMB traffic and allowing it outbound on firewalls. In order for the MsgBox parameter to launch the .hlp file, the attacker must point to a local file (which the user would have had to already download) or host a file on an internet accessible SMB share. If you look at the proof of concept code circulating, currently you will see the MsgBox help parameter is “\x.x.x.x\attackfile.hlp”, a pointer to a help file on an SMB share. Corporate enterprises should certainly block SMB outbound, and with this vulnerability and the several previous attacks via SMB client, users should be blocking this outbound traffic as well.

Vista, Windows 7, & Server 2008

The vulnerability does not work on Vista, Windows 7 and Windows 2008 due to Microsoft no longer including winhlp32.exe with these versions. However, there is an update which can install winhlp32 for these versions (Windows 7 Version I installed from here). I found that these updates did not launch the cmd.exe as the Windows XP version did (I also tried Prodeus’s PoC help file and it displayed but did not run calc.exe). It is possible that Microsoft removed this code execution function from these versions.

Workarounds

The warnings are avoid hitting F1 when prompted by websites. Additionally, permissions to winhlp32.exe can be modified so that it doesn’t execute. In an Active Directory environment, a Group Policy software restriction setting can prohibit winhlp32.exe from launching. As mentioned, I recommend blocking outbound SMB traffic, as there is rarely a justification for mounting a network share on the public internet. This helps with many known vulnerabilities disclosed in the past as well.

Related Posts:

• Turning an ATM into a Slot Machine
• iPhone 4 Ordering and Session Switching
• Thou Shalt Not Send Naked Pictures…To Anyone Ever
• May’s Patch Tuesday
• IEPeers – A New Internet Explorer Zero Day Vulnerability

Today is patch Tuesday for February 2010, and it marks a fairly busy patch cycle for Microsoft, who released thirteen updates today. In late January, there was an out-of-band release for two critical patches, in response to the high profile issue around the Internet Explorer Aurora exploit. This makes a total of fifteen total patches between since January’s patch Tuesday.

ID: MS10-006
Title: Vulnerabilities in SMB Client Could Allow Remote Code Execution
Microsoft Severity: Critical

Summary: The update addresses a pool corruption issue and a race condition issue with the Server Message Blocks (SMB) client. The SMB client is responsible for client requests to network file shares. An attacker can obtain remote execution by hosting and directing a user to a malicious SMB share.

Praetorian’s Recommendation: The attack requires the client to establish an SMB connection outbound. If you enforce proper egress rules on your firewall, blocking outbound SMB traffic, you are mitigating external threats and the update is less critical. If you allow all ports outbound, apply this patch across all Windows versions as soon as possible.

ID: MS10-007
Title: Vulnerability in Windows Shell Handler Could Allow Remote Code Execution
Microsoft Severity: Critical

Summary: A validation input bug exists in the ShellExecute API in Windows 2000, Windows XP, and Windows Server 2003. The vulnerability can allow attackers to execute code as the logged-in user.

Praetorian’s Recommendation: For Windows XP, Windows 2000, and Windows Server 2003, update as soon as possible as this vulnerability allows for remote code execution and there are no workarounds outside of the update. For Windows Vista, Windows 7, and Windows Server 2008, please see MS10-002.

ID: MS10-008
Title: Cumulative Security Update of ActiveX Kill Bit
Microsoft Severity: Critical

Summary: A vulnerability in the Data Analyzer Active-X Control can lead to remote execution. An attacker can host a malicious website to exploit the vulnerability and execute code with the privileges of the logged-in user. In addition, this update includes several kill bits (prevention of loading the ActiveX control) recommended by software vendors, such as Symantec, Google, and Facebook.

Praetorian’s Recommendation: Update Windows XP and Windows 2000 as soon as possible. Server platforms have tighter default browsing restrictions, but should still be updated during your next server patch cycle, especially in Terminal Server / Citrix environments. There is a registry setting available to prevent the browser from instantiating the COM object (known as setting the kill bit), but this requires entering the Class ID of the object, therefore the simpler approach of installing the update is recommended.

ID: MS10-009
Title: Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution
Microsoft Severity: Critical

Summary: This update addresses several issues in Windows TCP/IP. Two of them a vulnerabilities in ICMPv6 which allow remote code execution, one is a vulnerability when using custom network drivers that support header MDL fragmentation, and lastly a denial of service vulnerability in TCP/IP due to mishandling malformed selective acknowledgement (SACK) packets. These vulnerabilities affect Windows Vista and Windows Server 2008 (R1 only).

Praetorian’s Recommendation: Microsoft calls this update critical due to the remote execution but there are many “ifs”. The ICMPv6 vulnerabilities can only be affected if you allow ICMPv6 traffic through your firewall and if your network infrastructure supports IPv6 or the tunneling of IPv6 over the IPv4 network. The incorrect handling of malformed SACK packets causes a denial of service. An attacker would have to host a service to accept the TCP connection, such as a website, and send the malformed SACK packet to the connecting client. With these caveats, the rating should be moderate or important. If you meet the requirements for the ICMPv6 vulnerabilities, then you should update as soon as possible.

ID: MS10-013
Title: Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution
Microsoft Severity: Critical

Summary: A vulnerability exists in the way that DirectShow parses AVI files. An attacker can lead a victim via phishing techniques or a malicious website to open a specially crafted AVI file. The attacker can gain remote execution with the same rights as the logged-in user.

Praetorian’s Recommendation: All versions of Windows are affected by this vulnerability and should be patched as soon as possible. Since it is less likely that AVI files would be played on server platforms, the workstations and terminal server / Citrix environments should be the priority.

ID: MS10-003
Title: Vulnerability in Microsoft Office (MSO) Could Allow Remote Code Execution
Microsoft Severity: Important

Summary: A vulnerability exists in Office XP and Office 2004 for Mac which can lead to remote code execution. A victim would need to open a malicious Office file to be attacked.

Praetorian’s Recommendation: This is rated critical due to the remote code execution. Vulnerabilities like this remind us how important user awareness training is for firms. A victim would have to open an Office file that is sent via email by an attacker or hosted on a malicious site. In a browser, the user would be prompted if they want to open the Office file in cases where they are sent a link or redirected. User awareness is important in that users must be trained not to open attachments sent from unknown sources. The criticality of the update may depend on how diligent your users are in prompting IT support before opening suspicious content. Note that only Office XP and Office 2004 for Mac are affected.

ID: MS10-004
Title: Vulnerabilities in Microsoft Office PowerPoint Could Allow Remote Code Execution
Microsoft Severity: Important

Summary: This update addresses six remote code execution vulnerabilities in PowerPoint versions included in Office XP, Office 2003, and Office 2004 for Mac.

Praetorian’s Recommendation: Similar to MS10-003, this is rated critical due to remote code execution. The victim would need to open a PowerPoint document with an affected version to be compromised. In environments where these versions are in use and users are likely to open PowerPoint files from unknown websites or emails, the recommendation is to patch as soon as possible.

ID: MS10-010
Title: Vulnerability in Windows Server 2008 Hyper-V Could Allow Denial of Service
Microsoft Severity: Important

Summary: This update addresses a denial of service vulnerability in Hyper-V in Windows 2008 64-bit and Windows 2008 R2 Server versions. The denial of service affects the host operating system, which in turn would bring down any guests.

Praetorian’s Recommendation: The recommendation is to apply the patch during your next patch cycle. This vulnerability would be difficult to exploit in properly managed server environments and would require valid credentials to the Hyper-V server.

ID: MS10-011
Title: Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege
Microsoft Severity: Important
My Severity:

Summary: This update addresses a bug in CSRSS (Client/Server Run-time Subsystem) which leads to local privilege elevation.

Praetorian’s Recommendation: The potential with this vulnerability is for a user who has credentials and is logged in can gain kernel or system level privileges. The vulnerability can not be executed remotely. This update can be included in your normal patch cycle and is not deemed critical.

ID: MS10-012
Title: Vulnerabilities in SMB Server Could Allow Remote Code Execution
Microsoft Severity: Important

Summary: This update addresses four issues in the SMB protocol across all versions of Windows. The Pathname Overflow vulnerability can lead to remote code execution but requires authentication. The memory corruption and null pointer vulnerability can lead to denial of service, and the NTLM authentication lack of entropy can lead to unauthenticated elevation of privileges.

Praetorian’s Recommendation: Keeping patches up to date is important in any environment, but these SMB updates provide a very important reminder that egress firewall rules should be just as important to firms as ingress rules. The SMB protocol (port 445) as a best practice should be blocked inbound and outbound. Many of the recent SMB vulnerabilities affect the SMB client, which means the attacker will direct the victim to attampt a SMB client connection to a malicious server. This is not possible if your firewall blocks SMB outbound.

ID: MS10-014
Title: Vulnerability in Kerberos Could Allow Denial of Service
Microsoft Severity: Important
My Severity:

Summary: This update addresses a denial of service vulnerability due to improper handling of Ticket-Granting-Ticket renewal requests by a client on a remote, non-Windows realm in a mixed-mode Kerberos implementation. Only Windows Server operating systems (2000, 2003, 2008) are affected and only domain controllers.

Praetorian’s Recommendation: This vulnerability requires the client sending the malformed request to be on a remote and non-Windows kerberos realm, which is very a specific setup. If your environment has a non-Windows based kerberos realm, this update can be included as part of your regular patch cycle, and is not critical for immediate action.

ID: MS10-015
Title: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege
Microsoft Severity:Important

Summary: This update addresses two issues in the Windows kernel affecting all version of Windows except Windows 7 64-bit and Windows Server R2. The vulnerability leads to elevation of privileges.

Praetorian’s Recommendation: A user must be authenticated to with valid logon credentials to exploit this vulnerability; a remote or anonymous exploit is not possible. This update can be included as part of your regular patch cycle, and is not critical for immediate action

ID: MS10-005
Title: Vulnerability in Microsoft Paint Could Allow Remote Code Execution
Microsoft Severity: Moderate

Summary: This update addresses a vulnerability in MS Paint which can lead to remote code execution. Windows 200, Windows XP, and Windows Server 2003 are affected. A malicious JPEG can be crafted to exploit this vulnerability.

Praetorian’s Recommendation: By default, Windows uses the Windows Picture and Fax Viewer when opening JPEG files. An attacker would need to convince the user to open the specific malicious JPEG file in Microsoft Paint.

Related Posts:

• March’s Patch Tuesday

Related Posts:

• Microsoft IE 6 & 7 Zero-day (Aside)
• SMB Bug won’t be patched in January
• Taxonomy of Forensics Geeks
• What DNS is not
• Replace watch.swf with warp.swf on YouTube

Adobe’s implementation of Javascript in PDF documents, referred to as Acrobat JavaScript, appears to have been originally introduced based on the popularity of PDF eForms. Javascript allows for some dynamic behaviors in PDF’s, including calculations, responses to user actions, user data validation, and the integration of other dynamic capabilities.

We have previously posted instructions for users to disable JavaScript, giving them the option to enable it only when necessary. However, if you have made the decision to make this change across your enterprise or to a specific user base, this manual process is not practical. Therefore, a Group Policy Object is best to handle the task at hand.

The following is a custom ADM file

CLASS USER

CATEGORY "Adobe Reader"
     POLICY "Version 8.0 JavaScript Settings"
        KEYNAME "SOFTWARE\Adobe\Acrobat Reader\8.0\JSPrefs" 
        PART "Enable JavaScript"
            CHECKBOX
            VALUENAME "bEnableJS"
            VALUEON NUMERIC 1
            VALUEOFF NUMERIC 0
        END PART
        PART "Enable menu items JavaScript execution privileges" 
            CHECKBOX
            VALUENAME "bEnableMenuItems"
            VALUEON NUMERIC 1
            VALUEOFF NUMERIC 0
        END PART
        PART "Enable global object security policy"
            CHECKBOX
            VALUENAME "bEnableGlobalSecurity"
            VALUEON NUMERIC 1
            VALUEOFF NUMERIC 0
        END PART
        PART "Debugger: Show console on errors and messages"
            CHECKBOX
            VALUENAME "bConsoleOpen"
            VALUEON NUMERIC 1
            VALUEOFF NUMERIC 0
        END PART
    END POLICY
    POLICY "Version 9.0 JavaScript Settings"
        KEYNAME "SOFTWARE\Adobe\Acrobat Reader\9.0\JSPrefs" 
        PART "Enable JavaScript"
            CHECKBOX
            VALUENAME "bEnableJS"
            VALUEON NUMERIC 1
            VALUEOFF NUMERIC 0
        END PART
        PART "Enable menu items JavaScript execution privileges" 
            CHECKBOX
            VALUENAME "bEnableMenuItems"
            VALUEON NUMERIC 1
            VALUEOFF NUMERIC 0
        END PART
        PART "Enable global object security policy"
            CHECKBOX
            VALUENAME "bEnableGlobalSecurity"
            VALUEON NUMERIC 1
            VALUEOFF NUMERIC 0
        END PART
        PART "Debugger: Show console on errors and messages"
            CHECKBOX
            VALUENAME "bConsoleOpen"
            VALUEON NUMERIC 1
            VALUEOFF NUMERIC 0
        END PART
    END POLICY
END CATEGORY

Note: If you use the newer admx/adml for custom group policy, you can implement these settings as well. You can find the ADMX syntax guide here.

Save the custom ADM file where your GPO editor can browse to it. In Computer Configuration, Administrative Templates, right click and select Add/Remove templates. Once you add the template, if you are using XP/2003 you’ll have to ensure your filtering is setup to see “unmanaged” group policies, which are basically custom ADM entries which tattoo the registry. Under filtering, in your GPO editor, uncheck the option as shown:

gpedit

Once the ADM is added, and the filter option is cleared, you will see the configuration entries for Adobe Reader. Note in the figure there are settings for both versions 8 and 9. I had to separate these since the registry locations differ based on versions, but you can edit the ADM file to just have the version you are using.

Adobe Settings in GPO

When configuring the GPO setting, you have four options in the form of checkboxes, which mirrors the JavaScript settings in the Adobe Reader preferences pane. Here, you would choose to have the global object security policy enabled and the other three settings disabled (note that JavaScript is the first setting).

Detailed settings

With the GPO settings configured, you can link it to an organization unit (OU), a site, or a domain to deploy it. Remember that it is a user side GPO, so your user objects where the GPO is linked in AD will apply these settings.

Related Posts:

• March’s Patch Tuesday
• Press F1 for Help, pwned.
• Regular or Decaf? Tool launched to combat COFEE
• Six Bulletins in Last Patch Tuesday of 2009
• Remote SMB Exploit: Crashing Windows 7 and Server 2008

Severity Levels

Microsoft has a rating system for bulletins which includes: Critical, Important, Moderate, and Low; Adobe follows this same rating scale. The severity levels I provide differ from Microsoft’s in that I ascertain real world scenarios. For example, MS will give an important rating when exploitation could result in compromise of availability, as in a denial of service. MS09-069 can result in a denial of service, however, the attacker must already be authenticated. For this reason I drop the severity to Low.

Microsoft Updates

A quiet patch Tuesday for Microsoft, only one bulletin exists for this month, which is marked critical only for the Windows 2000 operating system whose support is due to expire in July of this year.

Bulletin: MS10-001 – Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution (972270) Recommended Action: Update Windows 2000 SP4.

My Severity Rating: Critical for Windows 2000, Low for Windows XP, Server 2003, Windows Vista, Server 2008 and Windows 7.

Information: An issue exists in the way that the Microsoft Windows Embedded OpenType (EOT) Font Engine decompresses specially crafted EOT fonts. An attacker can send a malicious Word or Powerpoint document containing a specially crafted Embedded OpenType (EOT) font which the victim would have to open, allowing the attacker to gain remote code execution.

Note:

Microsoft announced in a blog post that the SMB bug which can crash Windows 7 and Server 2008 R2 will not be patched in January’s patch Tuesday. We have shown how this bug can cause a severe halt to the OS, however, Microsoft stated that they “are not aware of any active attacks using the exploit code” and are still working on an update.

Adobe Updates

Another busy month for Adobe. We’ve seen various malware circulating the internet using the vulnerabilities found in the Util.printd, Util.Printf, Collab.getIcon and Collab.collectEmailInfo functions. Today, an update is to be released patching the vulnerability in the Doc.media.newPlayer method in Adobe Reader which was exploited in December.

Bulletin: APSB10-02 Vulnerability in the Doc.media.newPlayer method in Adobe Reader 9.2 and Acrobat 9.2, and Adobe Reader 8.1.7 and Acrobat 8.1.7

Recommended Action: PDF’s currently are a popular vector for spreading malware and trojan downloaders. The recommended action is to update as soon as possible.

My Severity Rating: Critical.

Information: The update addresses the following issues:

• An unspecified memory corruption error in the Doc.media.newPlayer method can allow a remote attacker to execute arbitrary code on the system. CVE-2009-4324

• An array boundary issue in U3D support that could lead to code execution.

• A DLL-loading vulnerability in 3D that could allow arbitrary code execution.

• A memory corruption vulnerability that could lead to code execution.

• A script injection vulnerability by changing the Enhanced Security default.

• A null-pointer dereference vulnerability that could lead to denial of service.

• A buffer overflow vulnerability in the Download Manager that could lead to code execution.

• An integer overflow vulnerability in U3D support that could lead to code execution.

Related Posts:

• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• March’s Patch Tuesday
• Press F1 for Help, pwned.
• Regular or Decaf? Tool launched to combat COFEE

Related Posts:

• Microsoft IE 6 & 7 Zero-day (Aside)
• Microsoft Posts Advanced Notification for Out of Band Patch
• Taxonomy of Forensics Geeks
• What DNS is not
• Replace watch.swf with warp.swf on YouTube

Adobe published an advisory yesterday confirming the vulnerability and plans to make an update available by January 12, 2010 to resolve the issue. In the meantime, a mitigation step is available by disabling JavaScript in Adobe Reader and Acrobat. Users with Microsoft DEP (“Data Execution Prevention”) enabled reduces the exploit to a denial of service attack.

Some detailed analysis of a malicious PDF reveals the Javascript and shows that a function called util.printd leads to a memory corruption issue. This function is supposed to return a date using a specified format and takes two parameters (plus a third optional parameter not typically used). The first parameter is the format of the date and time (0 for PDF, 1 for Universal, or 2 for Localized string). The second parameter is the date object submitted to format. The code shows the first parameter contains a @ followed by a series of numbers as opposed to the expected input.

JS heap spray and vulnerable function call.

Email Phishing, Malicious PDFs, and Metasploit

A Metasploit exploit module has been released taking advantage of this vulnerability. The integration into Metasploit can accelerate the spread of exploits for this vulnerability in the wild. A video demonstration utilizing this module can be seen here.

Examples of the phishing emails along with examples of the malicious PDF files can be found on the Contagio malware dump site here and here. The following two emails are examples of the phishing methods used to have users open the malicious PDF files:

Email One:

[mailto:chrisanderson58@hotmail.com]
Sent: 2009-11-30 1:56 AM
To: XXX@XXX.XXX
Subject: FW: reference
\----
From: jackr@gilbrooks.edu
To: chrisanderson58@hotmail.com
Subject: reference
Date: Mon, 30 Nov 2009 06:53:52 +0000


Dear All
Please find attached the updated country briefing notes, and staff lists.


Kind regards
Jack

Email Two:

[mailto:fureer.angelica@gmail.com]
Sent: 2009-12-13 12:14 AM
To: XXXXXX
Subject: Interview Request


This is Fureer Angelica, diplomaic broadcaster for CNN in DC.
There's growing concern about the U.S.-North Korea bilateral talks.
So, we're planning an Interview about them.
Attached is the outline of the interview.


p.s. Detailed schedules will be followed soon if you accept the offer.

Workarounds (from a previous post)

Disabling Javascript on Adobe Acrobat

Adobe notes that disabling Javascript mitigates against the specific exploit identified, although it would be possible to create a variant that does not rely on Javascript. To disable Javascript in Adobe Reader or Acrobat, select Edit>Preferences, select the JavaScript option on the left, and uncheck the Enable Acrobat JavaScript option as shown.

Uncheck to disable Acrobat JavaScript

Data Execution Prevention

Also, users with DEP enabled on Windows Vista or Windows 7 reduces the exploit from remote code execution to denial of service. Data Execution Prevention (DEP) performs additional checks on memory to help prevent malicious code from running, designed to prevent buffer overflow attacks. To enable DEP on Windows for all or individual programs, proceed to Control Panel -> System and Maintenance -> System, click on Advanced System Settings, under Performance click Settings, and finally under the Data Execution Prevention tab click Turn on DEP for all programs and services except those I select. If you can not find Acrobat in the list of programs, click Add and browse to the Acrobat executable (.exe) file and click Open. For more information on DEP settings, visit the Microsoft help page.

References

• Adobe PSIRT: New Adobe Reader and Acrobat Vulnerability
• CVE-2009-4324
• New Zero day Adobe Acrobat Reader vulnerability analysis

Related Posts:

• Turning an ATM into a Slot Machine
• Press F1 for Help, pwned.
• Microsoft’s Google Attack Patch?
• Six Bulletins in Last Patch Tuesday of 2009
• The Barack Obama Donations Site was Hacked…err, no it wasn’t.

In November, Microsoft’s forensics tool called COFEE (Computer Online Forensic Evidence Extractor) was leaked on torrents for download. The news coverage was much hype about nothing, as many free tools already out there exceed COFEE in features and functionality. However, that did not stop statements such as “now that COFEE has leaked, hackers can reverse engineer to see what it does.” Well, I can save them time and tell them it launches OS commands and sysinternals tools to collect information, using a simple method that law enforcement can easily launch from a thumb drive. I also hesitate to call it Microsoft’s tool, as I believe it has more development coming from The National White Collar Crime Center (NW3C.org) than from Microsoft. Ok, let’s move on to DECAF.

Then There Was DECAF

Just recently, with the COFEE hype behind us, a tool called Decaf was released to combat the use of COFEE. A VB.Net application which detects for the use of COFEE and then reacts by ways configurable by the user, such as shutting down the system, clearing event logs, or disabling the network, USB, CDROM, and more. The authors of Decaf shared my distaste for COFEE and its hype, and though the press coined them hackers, they informed me that they are developers who have a passion for security, forensics, privacy, and free flow of information online.

Let’s Talk Tools

I want to put aside the media hoopla of COFEE and DECAF and discuss some great tools for forensic analysis out there worth discussing. I want to try and focus on volatile data collection (grabbing important information from a live running system) but many of the tools mentioned can be used in offline analysis as well. If you are familiar with digital forensics, you most likely have used these tools in many cases, and if you are new to this area I hope this provides some groundwork for you to try some of these tools out.

The List

Before getting into it, I want to share this Excel spreadsheet that contains a good amount of various tools that can be used in the forensic analysis process. Any prices listed have either been found online or are estimates from VARs, but please check with the specific vendors for exact pricing. The tools discussed throughout the article are in this spreadsheet along with links to their respective websites. Also note this is Windows focused and this is by no means a complete list, but I feel its a good start for anyone interested in forensic analysis.

Don’t use a Sledgehammer to Hang a Picture – Use this comprehensive list of tools for reference

One last note before discussing the tools, it is important to know your situation and choose the right tool for the task at hand. You may grab the Helix CD, test it, and become very familiar with it where it becomes your tool of choice; but, know that it may not be suitable for all situations and you should have as many options as possible and be familiar with all that is available so you can be prepared with the right instruments. For instance, inserting the Helix CD may autorun the GUI menu system, then clicking through the menus to run acquisition tools generates many changes to the contents of memory, whereas a method to immediately run a memory acquisition tool would be less of an impact.

Frameworks

Let’s start by talking about what I refer to as forensics frameworks. These are programs or scripts that are wrappers to commands used to collect data. They organize a collection of common tools, handle the output of the tools, verify the tools are trusted, and provide some basic reporting. The Helix collection from e-fense includes several frameworks to choose from, including The Incident Response Collection Report (IRCR) by John McLeod, Windows Forensics Toolchest (WFT) by Foolmoon Software and more. Another popular framework is by Harlan Carvey, author of Windows Forensic Analysis (Syngress Publishing) and the Windows IR blog, called the Forensic Server Project (FSP) which uses a client (FRUC) that runs the collection of tools and sends the output to a listening server (FSU).

I’ve also written a framework based on collating various features from the tool sets mentioned above as well as including some of my own ideas. The common theme in these, as in COFEE, is that they collect data using a suite of tools including commands available with the OS (such as netstat, net, systeminfo), Sysinternal utilities (such as pslist, listdlls, handle), and well-known utilities available freely (such as fport, autorunsc, pmdump, etc).

Dealing with Memory

Any actions on a system generated by the operating system or the user constantly change the contents of memory. Thus if the first thing you do on a live system is running tools, you will be significantly modifying the memory contents. A good detailed primer on physical memory analysis by Mariusz Burdach can be found here. An important fact to note is the possible hardware methods available to collect the contents of memory without interacting with the operating system. The tools I list in the spreadsheet for this purpose are software based, thus their execution and their changes to memory will be in the image that is captured.

Acquisition

To acquire an image containing the contents of memory, start by looking at the following two tools: WinDD by Matthieu Suiche and MDD by ManTech International. Both provide a CLI tool that can be incorporated into your preferred framework which can be used to create an image of the contents of physical memory prior to running additional tools. WinDD will create a raw dump or a crash dump file which can be analyzed with standard debugging tools like WinDbg from Microsoft. A commercial tool with a nice price point from HBGary called FastDump Pro acquires memory and includes probing features for malware analysis. The folks at HBGary state that Fastdump has a lighter footprint than other tools and acquires the contents of all physical memory (a community version is available which works on 32-bit systems only).

Analysis

Memory analysis has come a long way since running “strings” against an image created from a memory dump. This presentation notes how strings can produce 50 to 80 megabytes of unusable text from a 512MB memory dump. One exciting project, founded by Aaron Walters, is The Volatility Framework, an amazing collection of tools written in Python and used for analyzing memory dumps. With it, you can extract very specific data from the memory dump files obtained using the tools mentioned earlier (MDD, WinDD, etc). The screenshot shows how volatility pulls the process list from a memory dump called mal.dmp. Notice the last process on the list is actually MDD.

Volatility Example

Volatility can extract the following information:

• Image date and time
• Running processes
• Open network sockets
• Open network connections
• DLLs loaded for each process
• Open files for each process
• Open registry handles for each process
• A process’ addressable memory
• OS kernel modules
• Mapping physical offsets to virtual addresses (strings to process)
• Virtual Address Descriptor information
• Scanning examples: processes, threads, sockets, connections,modules
• Extract executables from memory samples

The framework is open source, fully written in python, and also modular in the use of plugins. Michael Hale Ligh has produced some great plugins including malfind2 which helps detect hidden/injected code in usermode processes. Here are some more plugins, and here is a plugin that can help find TrueCrypt passphrases and suspicious processes.

Registry

You wouldn’t spend time poking around in the registry during live analysis (many CLI tools, such as autorunsc.exe, will pull pertinent information automatically from the registry), but I wanted to include this section to talk about another great tool out there. This one is also by Harlan Carvey and is called RegRipper. RegRipper is intended for use against offline registry hive files to extract information from the registry helpful to your analysis. For example, you can extract data from the registry to determine USB disks previously used on the system or wireless networks joined. The examples are numerous and the use of plugins to extract particular keys and values for information make the tool very extensible. Harlan and many others have written various plugins for RegRipper.

F-Response

F-Response

Disk Imaging

There are many options for disk imaging, both live and offline. Here are some of the
popular commercial suites:

• FTK
• EnCase
• ProDiscover
• X-Ways Forensics
• and more…

Choose the platforms that suit you as each package has its benefits, however I will go over a method that utilizes the freely available dd.exe with netcat. Yes, this is free, but this option may not suit you in many situations, such as attempting to image large disks in a certain time frame.

You need a computer which will have netcat listening and retrieve the disk image. On this machine, run netcat with the following options:

nc.exe -l -p 8888 -w 5 > diskimage.dd

The -l puts netcat in listen mode, -p specifies the port number (8888 in the example) and -w specifies the timeout for connects and final net reads. Be sure that if this host has a firewall enabled, the port you specify is open for incoming connections.

On the workstation which you are taking a disk image from, you need to have dd.exe and nc.exe, which can be stored on a CD (such as Helix) or a USB thumb drive for use. If you are imaging an entire disk, you need the physical drive number for the dd command. In this example, we are imaging the OS drive, which is physical drive 0, and sending to a listening netcat instance created in the previous step, which has an IP address of 192.168.100.25:

dd if=\\.\PHYSICALDRIVE0 conv=noerror bs=1024 | nc.exe 192.168.100.25 8888

The if parameter specifies the input file to be imaged, in this case it is PHYSICALDRIVE0. The conv=noerror parameters tells dd to continue processing after read errors and the bs=1024 specifies a buffer size of 1 megabyte. Since no output file is specified (of) we are piping to netcat and sending the data to the IP address listening on port 8888.

Evidence Handling

An excerpt from Government Computer News specifies that because digital data is easily altered and it is difficult to distinguish between original data and copies, extracting, securing and documenting digital evidence requires special attention. The guidelines lay out the following general principles for handling digital evidence:

1. The process of collecting digital evidence should not alter it or raise questions about its integrity.
2. Examination of digital evidence should be done by trained personnel.
3. All actions in processing the evidence should be documented and preserved for review.
4. Examination should be conducted on a copy of the original evidence. The original should be preserved intact.

The numbering above is not meant to signify priority, but rather for discussing each bullet point. Starting with number one, I’ve been a part of many discussions related to which tools are permissible in a court of law, and the answer is that evidence collected in a reliable manner and obtained legally is permissible. The reliable manner is where the tool becomes important. For example, if you are a hobbyist developer and wrote a tool to list processes with Visual Studio, you can be challenged on the accuracy of the processes running which you’ve collected. If you used pslist.exe from Sysinternals, verified the MD5 hash of the executable, and properly tagged, timestamped, labeled, and handled its output, you would have a better case in proving your process list is accurate and reliable.

Point number two specifies that trained personnel should be responsible for evidence examination. The point here is that systems administrators or related expertise on the operating system is not equivalent to “trained in forensic examinations”. Additionally, such internal IT resources may have difficulty being questioned and cross-examined in a court of law. One who is experienced specifically in digital forensics is better able to handle evidence and participate in the litigation.

Points three and four are related and involve documentation, and the processing and handling of the evidence. Every step taken in the analysis must be meticulously documented and timestamped. You should have a standard and repeatable process for this. A UK based firm has an editor type application called Forensic CaseNotes to assist in documenting and tracking your case notes. In addition to careful documentation, an examination and analysis should be performed on duplicates. It is not dramatic step to take the original hard disk, and one additional hard disk containing an untouched block by block copy, and seal them in plastic bags marked with time, date, who collected the drives, and identification numbers. A third hard disk with a block by block copy can be used for further examination.

Proof of preservation can be maintained with MD5 hashing. In the exercise where we acquired an image of the hard disk, we can obtain an MD5 hash of the image file created and log that in our case notes. If that image is tampered with, the MD5 hash will change and the evidence is not reliable and thus can be dismissed. Output logs from the various tools run during an analysis should be hashed as well.

Conclusion

There is no conclusion to learning about digital forensics as the world of analysis techniques evolves and continuously changes. New operating system releases (Windows 7 and 2008 R2), progress in anti-forensics technologies, and sophistication of malware and rootkits continue to challenge forensic investigators. My purpose for this primer is to hopefully detract the sensationalism of COFEE being released, and DECAF to counter it, and take a look at some great aspects of forensic tools that are out there and continue to grow.

Updates

The intention of this article was to reflect on some of the great tools out there that have been around and growing before any word of COFEE. I feel its important to understand what is available and how it works, but one thing I did not touch on was that the tools are a just a subset of the overall process, and it is the process you use in your investigation that is critical to your analysis. Harlan provides some good examples of this in his latest blog entry.

References

• Forensic Focus
• Volatile Systems
• Windows IR Blog
• Forensics Wiki

Related Posts:

• WinPE 3.0 & Forensics
• The “Aurora” IE Exploit Used Against Google in Action
• Scareware Purveyors, Spammers, and Crooks Take Advantage of Haiti Earthquake
• Baidu.com the Latest Victim of Iranian CyberArmy
• JUNOS (Juniper) Flaw Exposes Core Routers to Kernel Crash

About a month ago, there was much news about the release of COFEE into the torrent wild. I even gave my two cents about the much hyped forensics toolkit which is provided to law enforcement for the purposes of easily capturing volatile data from personal computers during evidence collection. A tool to counter COFEE, aptly named DECAF, has been released as an anti-forensics tool to prevent the use of COFEE for data collection.

“We want to promote a healthy unrestricted free flow of internet traffic and show why law enforcement should not solely rely on Microsoft to automate their intelligent evidence finding,” one of the two hackers behind Decaf told The Register in explaining the objective of the project.

DECAF Details

DECAF is written in Visual Basic 2005 and consists of a single executable and an XML configuration file called decaf.exe.config which contains the application settings (an XML is also created in the user’s profile directory for each user’s specific settings).

When launched, it displays the user license agreement and asks for confirmation. When agreed, it writes the following registry entry:

Key: HKU\SOFTWARE\DECAFme
Value: AcceptedEULA
Data: true

The program then connects via HTTP to 208.68.237.165 to check the current version number and receives the following response: 1.0.0|http://www.decafme.org/|

If the application does not have a network connection, it will crash upon starting up with the following event:

EventType clr20r3, P1 decaf.exe, P2 1.0.2.0, P3 4b2679b7, P4 decaf,
 P5 1.0.2.0, P6 4b2679b7, P7 115, P8 14d, P9 
system.invalidoperationexception, P10 NIL.

Decaf Menu

I produced this initially when I had my virtual host’s network interface disabled.

Starting the monitor puts the application in detection mode, looking for the presence of COFEE. It waits for the launch of runner.exe, the launcher in COFEE, and will perform an action based on the configuration settings. It appears the tool checks the MD5 hash of runner.exe (ab9e68c7e71ebb2d6a5b8d17e9bd6b33). In addition to detecting the launch of runner.exe, the tool performs a WMI query to detect the COFEE USB thumb drive. The WMI query used for this type of action is:

SELECT * FROM __InstanceOperationEvent WITHIN 10 WHERE TargetInstance ISA "Win32_DiskDrive"

And since the thumb drive has the COFEE label, finding its presence should not be an issue.

Notification finding COFEE

When COFEE is found, a notification is sent over to decafme.org (note I changed the rip field to invalid IP addresses):

GET /decaf.php?&rip=299.297.141.45&rtime=12142009_050704PM-5&sim=false HTTP/1.1

When clicking Simulate, it mimics what would happen if coffee is found, and the sim field is set to true:

GET /decaf.php?&rip=299.297.141.45&rtime=12142009_051522PM-5&sim=true HTTP/1.1

The Configuration Menu

Lockdown Settings

In the configuration menu, there are checkboxes in the Monitor section to “Monitor USB” and “Monitor COFEE”. As discussed, these options enable checking for runner.exe and detection of the USB thumb drive. The Notification section contains options for notifying the user when detection occurs. The Actions section is the interesting part, especially editing the Lockdown Mode. Here, you can set what happens when detection occurs. Some of the options are:

• Shutdown the system
• Kill selected processes
• Disable Network, USB, CD-ROM, ports, floppy
• Clear event viewer
• Erase Data

The configuration settings are stored per user in an XML file located in:

%USERPROFILE%\local settings\application data\DECAFme.org\Decaf.exe_Url_5fokqfogt1qso5vyeabunvhsigozqvpo\1.0.2.0>

If the config for the user does not exist, the default in the launch directory is used.

Conclusion

When I first heard of the tool, I assumed it would also include detection of the default OS commands and Sysinternal utilities that COFEE typically runs, such as pslist.exe or tcpvcon.exe, however, in its current version this is not the case. An anti-forensics tool which expands into detecting the typical collection tools will affect investigations that use various toolkits (Helix, IRCR, etc), not just COFEE. However, as quoted by The Register, the DECAF brewer’s intentions are not to derail just any collection suite, but for law enforcement to expand beyond using what Microsoft provides them.

This version of decaf is still very bitter and has quite a ways to go in its development. The authors of Decaf are promising a more light-weight version or a windows service in the next release and text message and email triggers to enter lockdown mode remotely in future versions. However, Decaf provides a good example of how anti-forensic tools continue to evolve and can become serious roadblocks for digital forensic investigators.

Updates

The authors of Decaf have shut down the project and have said they are starting a forum for those interested in further discussing related matters. Considered a spoof, stunt, hoax, and many other names in the media, we have discussed the matter in the following post.

Related Posts:

• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• WinPE 3.0 & Forensics
• March’s Patch Tuesday
• Press F1 for Help, pwned.

• MS09-071 – Vulnerabilities in Internet Authentication Service Could Allow Remote Code Execution (974318)
• MS09-074 – Vulnerability in Microsoft Office Project Could Allow Remote Code Execution (967183)
• MS09-072 – Cumulative Security Update for Internet Explorer (976325)
• MS09-069 – Vulnerability in Local Security Authority Subsystem Service Could Allow Denial of Service (974392)
• MS09-070 – Vulnerabilities in Active Directory Federation Services Could Allow Remote Code Execution (971726)
• MS09-073 – Vulnerability in WordPad and Office Text Converters Could Allow Remote Code Execution (975539)

Severity Levels

Microsoft has a rating system for bulletins which includes: Critical, Important, Moderate, and Low. The severity levels I provide below are not directly from Microsoft. For example, MS will give an important rating when exploitation could result in compromise of availability, as in a denial of service. MS09-069 can result in a denial of service, however, the attacker must already be authenticated. For this reason I drop the severity to Low.

Bulletin Summaries

Bulletin: MS09-071
Recommended Action: Update Windows 2008 Server (32-bit and 64-bit) which have IAS configured to use PEAP with MS-CHAP v2 authentication.
My Severity Rating: Moderate, should patch the above mentioned software.

This update addresses two vulnerabilities in the Internet Authentication Service (IAS). One is an IAS memory corruption vulnerability and the second is an authentication bypass vulnerability in MS-CHAP authentication. Client operating systems contain the vulnerable code but the components are not used in a way to make them vulnerable.

Bulletin: MS09-074
Recommended Action: Update MS Project 2000 SR-1.
My Severity Rating: Important for Project Software

This update addresses a vulnerability in Microsoft Project which can cause remote code execution when a specially crafted Project file is opened.  Microsoft Project 2000 SR-1, Project 2002 SP1 and Project 2003 SP3 are affected.

Bulletin: MS09-074
Recommended Action: Update Internet Explorer
My Severity Rating Critical

This update addresses five difference vulnerabilities with at least one or more affected every version of Internet Explorer. Attackers can host malicious code which can lead remote code execution on vulnerable systems. Any issues that lead to remote execution in IE should be addressed immediately; even if you are confident about not browsing malicious sites, a known site, such as the Pentagon web site, could be used to automatically execute or redirect you to malicious code using cross-site scripting.

Bulletin: MS09-069
Recommended Action: Update Windows 2000, Windows XP and Windows 2003
My Severity Rating: Low

A vulnerability in LSASS can cause a denial of service. The attacker must be authenticated and communicating through IPSEC.

Bulletin: MS09-070
Recommended Action: Update Windows 2003 and Windows 2008 Servers
My Severity Rating: Low

This update addresses two vulnerabilities in Active Directory Federation Services, one which can be used to spoof an authenticated user and the second which can cause remote code execution. The spoofing requires access to a workstation and browser recently used by a targeted user and the remote code execution requires the attacker to have valid logon credentials to the vulnerable server.

Bulletin: MS09-069
Recommended Action: Update Windows XP SP3 and/or Office 2003 SP3
My Severity Rating: Moderate

A vulnerability in text converters in WordPad and Office can cause remote code execution. Malicious code can be hosted on a website to trigger an exploit, however, an attempt would cause a dialog box to appear prompting the user to open the file (unless the option to “Always ask before opening this type of file” has been unchecked).

Adobe

Adobe has mirrored the patch Tuesday schedule of releasing patches on the first Tuesday of the month. The severity ratings also follow the same definitions a s Microsoft’s.

Adobe has two advisories for this month:

Bulletin: APSA09-06
Recommended Action: Update Adobe Illustrator CS4 and earlier. (Avail Jan 8)
My Severity Rating: Low

A vulnerability in Illustrator CS4 and earlier could lead to remote code execution. The target is required to open a malicious eps file.

Bulletin: APSA09-17
Recommended Action: Update Adobe Flash Player and Adobe AIR
My Severity Rating: Low

Adobe states this is a critical update and it is scheduled for release today, but does not provide details of the update.

Updates

Adobe has released details on the Flash Player update. The update addresses six vulnerabilities, five which can lead to remote execution and one to information disclosure. The vulnerabilities were identified in Flash Player version 10.0.32.18 and earlier.

References

• Microsoft’s December Bulletins
• Adobe’s Security Advisories

Related Posts:

• Turning an ATM into a Slot Machine
• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• March’s Patch Tuesday
• Press F1 for Help, pwned.

It’s been a while since my last post regarding Powershell which showed how to scan hosts for network interfaces in promiscuous mode. This time around, we’ll scan for some well known ports in our Active Directory to see who has a local IIS or SQL Express running on their machine. I know what you’re thinking. A port scanner? I already use trusty old NMAP or Superscan. This is not about port scanning, its about Powershell. In the last post, we used the MSNdis_CurrentPackFilter class of WMI to find any network cards in promiscuous mode, using Active Directory computer objects as our targets. Once again, I keep the AD query of computer objects as a way to source target hosts, but the scripts can easily be modified to take in a hosts file or an IP range. For making connections, let’s look into the System.Net.Sockets class.

When I started looking into a method I can use to establish a connection to a given port in order to check if it was open, I went with a Connect method using the System.Net.Sockets.Socket class. This isn’t what I ended up using in the finished script, but I want to mention this class, because it can be used to send data to a connected socket, or to receive data on a listening socket (there is a listen method as well). Perhaps a more detailed post will materialize on those items, but I haven’t thought of a reason to use them yet. Maybe we can convert Gaffie’s Python code that crashes Windows 7 into a Powershell script one day.

Why didn’t I end up using the socket.connect method? The timeout was too long and I lost patience fiddling with the ConnectAsync method. If interested, here is the code for the socket.connect:

$computer = “test”
$ipport = [int]80
$comp = [Net.Dns]::GetHostEntry($computer)
foreach ($ip in $comp.AddressList) {
   $ep = New-Object System.Net.IPEndPoint($ip, $ipport)
   $socket = New-Object System.Net.Sockets.Socket([System.Net.Sockets.AddressFamily]::InterNetwork,
                                                  [System.Net.Sockets.SocketType]::Stream,
                                                  [System.Net.Sockets.ProtocolType]::Tcp)
   $optlevel = [System.Net.Sockets.SocketOptionLevel]::"Socket"
   $optname = [System.Net.Sockets.SocketOptionName]::"SendTimeout"
   $timeout = [Int]100
   $socket.SetSocketOption($optlevel,$optname,$timeout)
   $socket.Connect($ep)
   $socket.Close()

I’ve left out the AD code and the extra code that’s in the port scan script to show just the use of socket.connect. The workstation in the script is “test” and we’re trying to connect to port 80. If the host is using a firewall that will actively refuse the connection, we get a quick response which would be fine for a port scanner; but, if the port is simply not listening and there is no firewall to actively refuse the connection, there is a pretty significant delay before getting the connection error. This delay is not suitable for port scanning.

Instead of System.Net.Sockets.Socket, we will use the System.Net.Sockets.TcpClient class with the BeginConnect Method in conjunction with a timeout (if it doesn’t complete in a given time, we assume the connection is not available). I’ve seen examples of this used on poshcode.org for testing a connection to port 135 prior to making WMI calls or other RPC calls.

$HostEntry = [Net.Dns]::GetHostEntry($CompName)
foreach ($ip in $HostEntry.AddressList) {
   Write-Host "Checking: $CompName on $ip"
   foreach ($tcpport in $PortList) {
      $TCPclient = new-Object system.Net.Sockets.TcpClient
      $Connection = $TCPclient.BeginConnect($ip,$tcpport,$null,$null)
      $TimeOut = $Connection.AsyncWaitHandle.WaitOne(3000,$false)  ## 3 second timeout can be modified
    if(!$TimeOut)   {
       $TCPclient.Close()
       Write-Host "     OK: Port $tcpport is closed."
       }
    else {
       try {
          $TCPclient.EndConnect($Connection) | out-Null
          $TCPclient.Close()
          ## Next line outputs that the port is closed. I prefer to see output 
          ## processing; comment for outputting only open ports.
          Write-Host "     " -nonewline
          Write-Host "Host: $CompName has port $tcpport open!" -foregroundcolor red -backgroundcolor yellow
          } 
       catch {
          ## Machine actively refused the connection. The port is not open but $TimeOut was still true
          ## Uncomment next line to output the error for this.
          ## write-host $_
         write-host "     OK: Port $tcpport is closed."
       }

Note: the script requires a parameter
which is comma separated list of ports.

Example: ad-portscan.ps1 23,80,443,1433

You can see by the code snippet above that we are using Sockets.TcpClient rather than Sockets.Socket, and the method used is BeginConnect rather than Connect as in the previous example. If the connection is not available in 3 seconds, the timeout is expired and the script reports the port is closed. In some cases, Windows firewall will refuse the connection while the timeout is not expired. I found in these cases, when attempting to close the connection, an error reported that the connection was refused and was never connected to begin with. This is where the TRY / CATCH comes in, as we check that we can cleanly close the open connection, which will then report that the port is open.

You can find the full script here, and while by no means is this to replace your standard port scanner, it can provide a quick way to scan your AD hosts for open ports that you specify or get you digging further into Sockets.Socket which can lead to many places.

Note: the script requires a parameter which is comma separated list of ports.

Example: ad-portscan.ps1 23,80,443,1433

• http://msdn.microsoft.com/en-us/library/system.net.sockets.aspx

Related Posts:

• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• March’s Patch Tuesday
• Press F1 for Help, pwned.
• First Patch Tuesday of 2010

Python code was posted today by Laurent Gaffie on his blog, demonstrating a much too easy way to remotely crash a Windows 7 or Windows Server 2008 machine. The crash is caused by sending a NetBIOS header which specifies that the SMB packet is 4 bytes smaller or larger than it actually is.

In this code sample below, you can see that the header has the length of the packet set to 9a rather than 9e (4 bytes smaller). Update: We have tested with different variations, such as 1 byte and 2 bytes off, which also caused the crash.

packet = "\x00\x00\x00\x9a" # --> length should be 9e not 9a.. 
"\xfe\x53\x4d\x42\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00"
"\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x41\x00\x01\x00\x02\x02\x00\x00\x30\x82\xa4\x11\xe3\x12\x23\x41"
"\xaa\x4b\xad\x99\xfd\x52\x31\x8d\x01\x00\x00\x00\x00\x00\x01\x00"
"\x00\x00\x01\x00\x00\x00\x01\x00\xcf\x73\x67\x74\x62\x60\xca\x01"
"\xcb\x51\xe0\x19\x62\x60\xca\x01\x80\x00\x1e\x00\x20\x4c\x4d\x20"
"\x60\x1c\x06\x06\x2b\x06\x01\x05\x05\x02\xa0\x12\x30\x10\xa0\x0e"
"\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"

We also tested this by setting 9e to aa (4 bytes larger) to see if it had the same affect and it indeed it did.

A little about the “crash”. The Operating System actually freezes. There is no error message, no blue screen of death, no indication that anything has gone wrong. Even after power cycling, the event logs show no sign of a mishap, aside from the typical events generated from booting up again.

Demonstration

Our victim targets are:

1. A Windows 7 Professional workstation with latest patches.
2. A Windows Server 2008 R2 Standard Core Edition with latest patches.

On Open BSD, Mac OSX, and Linux 2.6 workstations, we ran the python code and had it listen on port 445.  I would have had a Windows server run the listening server, but SMB on Windows already listens on port 445 and for the purpose of the demonstration it was easier to run it on machines that do not listen on this port by default.  From the Windows 7 and Windows Server 2008 victim machines, we simply attempt any type of SMB connection to the bad hosts listening with the Python code. This can be done by simply doing a directory command (dir) to a non-existent share (dir \\ip-address\share).

The screenshot below shows the command window with the dir command used to attempt a connection to a host (172.17.20.139) which is running the Python code, ready to send that SMB packet over. As soon as the connection is attempted, the whole machine freezes. I had resource monitor and task manager running and every counter, even the ticking of uptime, stopped dead. In some cases, I left the machine in this state for a significant amount of time.  Also, the host was no longer pingable, so once the crash occurred, it was off the network and no longer attempting any more SMB traffic.

What is the big deal?

To simulate how an attacker could use this, we hosted a small internal web page, with a simple link to direct the user to our malicious host. Now, as seen in the image below, our link was very obvious for demonstration purposes, users can be redirected in various obfuscated ways.  Although remote elevated privileges or sensitive data theft is not part of this proof of concept, this can still be a very troublesome issue.

References

• g-laurent.blogspot.com: Windows 7 / Server 2008R2 Remote Kernel Crash
• informationweek.com: Microsoft Investigating Zero-Day Windows 7 Flaw
• darkreading.com: Microsoft Looks Into Bug That Can Crash Windows 7
• thetechherald.com: Microsoft Kernel Smash vulnerability being investigated

Update

Microsoft says this is being investigated as a possible denial of service vulnerability, but initially responded that correcting it will be handled in the first service pack updates for Windows 7 and Server 2008 R2 rather then as a "Patch Tuesday" security update.

Microsoft has posted a security advisory (977544) regarding the issue.

Related Posts:

• IEPeers – A New Internet Explorer Zero Day Vulnerability
• March’s Patch Tuesday
• Press F1 for Help, pwned.
• The “Aurora” IE Exploit Used Against Google in Action
• Windows 7 SMB Kernel Crash Video

The software is made up of three components or phases:

• The tool generation phase which is meant for the more tech-savvy forensics examiner to setup a profile which is exported to a USB disk. This is a simple decision making process of which tools and parameters should be setup to run from the USB drive.
• The data acquisition phase which is meant for the non-technical law enforcement folks who arrive on the scene to collect evidence. They use the USB disk configured in the tool generation phase which runs through a set of common tools to gather volatile data, such as running processes, etc and saves the output from each command.
• The report generation phase is once again meant for the tech-savvy.  It uses the same GUI console as the tool generation phase, but this time to view the reports which are generated from the output of the tools run from the USB disk.

I’ve been reading some of the news articles, blogs, and related comments on the issue of the software being leaked and how the hackers now have more ammunition, by seeing how COFEE works they can improve malicious code to avoid or misrepresent data.  However, COFEE is not very special.  Aside from being provided by Microsoft, it really doesn’t do much more than the other forensics toolkits out there.  For example, IRCR (Incident Response Collection Report) by John McLeod, the Windows Forensics Toolchest by Monty McDougal, Harlan Carvey’s FSP (Forensic Server Project) , and a forensics toolkit called PTN-FT that I’ve written myself, all operate on the same basis of providing a forensics framework which allows you to configure a list of commands used to collect volatile data and save the output for use in some reporting format or a format that can be uploaded to a database for analysis.

Microsoft provides a GUI for tool selection (see figure) whereas most toolkits use a config file or batch file to modify tool selection and parameters.  It appears even the configuration of the USB disk comes with an easy to use interface.  In addition to the tools preconfigured, you can add tools from your own collection.

One feature I found to be useful from COFEE is the random generation of the tool name.  While most toolkits out there will use tools from a good source (such as the Helix CD), Microsoft goes a step further in renaming the tools to random generated names, causing no doubt that the intended version of the tool is running. 

The output format is in XML and when loaded  into the GUI, gives a view to the information as seen in the figure on the left. As mentioned, this is not ground-breaking forensics technology as many toolkits give a nice view into the output data by framing it in HTML.

More of the same in terms of forensics toolkits, COFEE keeps hashes of the tools in a checksum file and also has multiple directories for OS specific tools (\winxp, \win2k03, etc). According to the documentation, it is not supported on Vista and Windows 7, but apparently a new version is planned for those operating systems.

Conclusion

The conclusion is that the excitement is not warranted.  There is nothing groundbreaking in COFEE that has not been seen in other toolkits.  It may even come short in some areas as I did not see any methods of memory dumps or capturing of the prefetch directory.  The excitement is rather because this piece of software has been difficult to obtain, even by law enforcement, and that both forensics experts and the anti-forensics communities has been curious to see what Microsoft themselves had to provide in this space.  Personally, I will pass on this cup of COFEE and continue using my own forensics framework along with the others I mentioned earlier.

Default tools & parameters launched by COFEE:

arp.exe ‐a  
at.exe    
autorunsc.exe    
getmac.exe    
handle.exe ‐a  
hostname.exe    
ipconfig.exe  /all  
msinfo32.exe  /report %OUTFILE%  
nbtstat.exe ‐n  
nbtstat.exe ‐A 127.0.0.1  
nbtstat.exe ‐S  
nbtstat.exe ‐c  
net.exe  share  
net.exe  use  
net.exe  file  
net.exe  user  
net.exe  accounts
net.exe  view  
net.exe  start  
net.exe  Session  
net.exe  localgroup administrators /domain  
net.exe  localgroup  
net.exe  localgroup administrators  
net.exe  group  
netdom.exe  query DC  
netstat.exe ‐ao  
netstat.exe ‐no  
openfiles.exe  /query/v  
psfile.exe    
pslist.exe    
pslist.exe ‐t  
psloggedon.exe    
psservice.exe    
pstat.exe    
psuptime.exe    
quser.exe    
route.exe  print  
sc.exe  query  
sc.exe  queryex  
sclist.exe    
showgrps.exe    
srvcheck  \127.0.0.1  
tasklist.exe  /svc  
whoami.exe   

Update – 11/10/09

There is speculation that the version released only has 45 commands and is therefore not the full “150 command” version that Microsoft reported releasing. The released version is 1.1.2 which corresponds to the version information in the documentation. The documentation does not list 150 discrete commands (really separate programs). Therefore the 150 command statement may be incorrect or may just be inflation of what’s there (for example treating ‘netstat + option’ as its own command).

Related Posts:

• WinPE 3.0 & Forensics
• The “Aurora” IE Exploit Used Against Google in Action
• Scareware Purveyors, Spammers, and Crooks Take Advantage of Haiti Earthquake
• Baidu.com the Latest Victim of Iranian CyberArmy
• JUNOS (Juniper) Flaw Exposes Core Routers to Kernel Crash

About one month ago, a problem in the Blackberry browser left devices open to attack due to a certificate notification flaw. An advisory from Research in Motion details how a malicious user could spoof a “trusted” website then use a phishing technique to send users to that site using SMS or email.

A malformed SMS message causing a memory corruption error could be used to cause a denial of service or execution of arbitrary code on Apple’s iPhone (CVE-2009-2204). Although not related to Blackberry, I wanted to get the point across that mobile devices are beginning to see their fair share of vulnerabilities which could lead to malicious activity.

Turning our focus back to the Blackberry, a director for Hermis Consulting in Jakarta, Indonesia recently wrote an application for the Blackberry which can turn the handheld into a remote bugging device.
The software is called PhoneSnoop and was written to demonstrate how an “attacker can activate the microphone of a Blackberry handheld and listen to sounds near or around it.” There are currently no stealth or spyware aspects of the software, but it shows how the capabilities of a Blackberry could be used for malicious purposes.

These issues remind me of my previous position, managing a global infrastructure team for a financial company.  Exchange and Blackberry services were under our umbrella of responsibilities.  When I first arrived many years ago, as with most companies that are victims of rapid growth, IT policies were non-existent.  Though unpopular with the users, I had to have a BES policy implemented, and one that took quite a bit of control from the user. From password policies to WiFi disabling, where is your BES policy?

Note: A BES (Blackberry Enterprise Software) is middleware software which connects to your enterprise messaging solution (such as Microsoft Exchange or IBM Lotus Domino) and redirects email and PIM information to and from Blackberry mobile devices.

Note: A BES IT Policy is configured from the BES and are assigned to the Blackberry devices over the air.  Policies can be assigned to users and user groups. The default installation does not enforce policies which should definitely be enabled and are best practices on any platform or device. See the bottom of this post for the KB with instructions on how to create and apply policies.

At the bare minimum, you should have these basic policies set:

• Password Required Rule – True
• User Can Change Time – False
• User Can Disable Password – False
• Password Pattern Checks – Require at least 1 alpha and 1 numeric
• Minimum Password Length – 7 characters
• Maximum Password Age – 30 or 60 days
• Set Password Timeout – 10 minutes
• Set Maximum Password Attempts – 10
• Maximum Password History – 6
• Set Owner Info – Customize
• Set Owner Name – Customize
• Lock Owner Info – Customize
• Remote Wipe Reset to Factory Defaults – True

Control Upgrades:

• Allow Non Enterprise Upgrade – False
• Disallow Device User Requested Upgrade – True

Camera Options:

• Disable Photo Camera – True 
• Disable Video Camera – True

Application Control:

• Disable Application Center – True
• Allow Application Down Services – False
• Disallow Third Party Application Downloads – True

Other Policies I Like:

• Disable USB Mass Storage – True
• Disable Blackberry Messenger – True
• Disable Bluetooth – True
• Allow Application Download Services – False
• Allow Hotspot Browser – False
• Allow IBS Browser – False

Too Much?

Now, these policies are starting to sound too strict at a glance; but, the purpose of the device is for users to have access to their email, contacts and calendars anywhere and to have a mobile phone they can be reached at any time.  Cameras, Hotspots and transferring photos and music using USB mass storage are features that are not necessary. If you have legitimate business needs for these features, than you can enable them for certain user groups using a policy.

The policies mentioned are a very small fraction of what is available. I’d like to hear which policies you find useful in your environment, or which you find to be more harm than good.

For a complete list of policies, please see the Policy Reference Guide.

Howto

Create, Assign, View, and Send IT policies
Doc ID : KB02022
Last Modified : 2007-02-01
Document Type : How To
Environment
This article applies to BlackBerry® Enterprise Server software versions 3.6, 4.0, and 4.1 for Microsoft® Exchange.
Procedure
The BlackBerry Enterprise Server uses an IT policy to control the behavior of the BlackBerry devices assigned to it. IT policies cover a wide range of BlackBerry device functions (for example, passwords, attachment viewing, and available browsers). Administrators can create custom IT policies in addition to the IT policies already present on the BlackBerry Enterprise Server.
Creating IT Policies
To create an IT policy, complete these steps:
BlackBerry Enterprise Server software versions 3.6 and 4.0

1. Depending on your version, open the BlackBerry Enterprise Server Management console or BlackBerry Manager.
2. Right-click the BlackBerry Enterprise Server name, then click IT Policy.
3. Click New, then create a name for the IT policy.
4. Select the check box beside each IT policy rules item you would like to assign. A description of the IT policy will appear.
5. To enable the selected IT policy, in the description window, click TRUE.
6. Click Apply, then click OK.

BlackBerry Enterprise Server software version 4.1

1. In BlackBerry Manager, select Servers, then click the Global tab.
2. From the Tasks menu, click Edit Properties.
3. Select IT Policy, then double-click IT Policies.
4. Click New, then create a name for the IT policy.
5. Select an IT policy group to view the associated IT policy rules.
6. Select the appropriate IT policy rules.
7. Click Apply, then click OK.

Assigning IT Policies
To assign an IT policy to a BlackBerry device user, complete the following steps:
BlackBerry Enterprise Server software versions 3.6 and 4.0

1. Depending on your version, open the BlackBerry Enterprise Server Management console or BlackBerry Manager.
2. Right-click the BlackBerry Enterprise Server name, then click IT Policy.
3. Select an IT policy, then click Edit User List.
4. Click Add Users to This Policy.
5. Select a BlackBerry device user, then click Add.
6. Click Close, then click OK to close the Edit IT Policy Userlist window.
7. Click OK again.

BlackBerry Enterprise Server software version 4.1

1. In BlackBerry Manager, select Servers, then click the Global tab.
2. From the Tasks menu, select Edit Properties.
3. Select IT Policy, then double click IT Policy to User Mapping.
4. Select a BlackBerry device user, then click the button next to the appropriate IT policy.
5. Click OK to close the IT policy to User Mapping window.
6. Click Apply, then click OK.

Viewing IT Policies
To view IT policies on the BlackBerry Enterprise Server, complete these steps:
BlackBerry Enterprise Server software versions 3.6 and 4.0

1. Depending on your version, open the BlackBerry Enterprise Server Management console or BlackBerry Manager
2. Right-click the BlackBerry Enterprise Server name, then click IT Policy.
3. Select an IT policy, then click View to see the BlackBerry device and Desktop Policy Settings that have been applied.
4. Click OK to close the View Policy window.
5. Click OK again.

BlackBerry Enterprise Server software version 4.1

1. In BlackBerry Manager, click Servers, then click the Global tab.
2. From the Tasks menu, select Edit Properties.
3. Select IT Policy, then double-click IT Policies.
4. To view the IT policy rules, click Properties.
5. Click OK.

To view an IT policy on a BlackBerry device, complete these steps:

1. From the Home screen, select Options.
2. Select Security Options > General Settings.
3. The IT policy Name, Last Updated, and Time Stamp fields will be listed.

Note: Depending on the BlackBerry device and BlackBerry Device Software version, the instructions for viewing the IT policy on the BlackBerry device may vary. For example, on the BlackBerry 7100 series, the BlackBerry device user must select Settings or Tools, then select Security.

Sending IT Policies
To send an IT policy to a BlackBerry device user, complete the following steps:
Note: By default, when you assign an IT policy to a BlackBerry device user, the IT policy is automatically sent to the BlackBerry device user.
Note: When a change is made to an existing IT policy, it is automatically resent to all BlackBerry device users assigned to that IT policy.
BlackBerry Enterprise Server software versions 3.6 and 4.0

1. Depending on your version, open the BlackBerry Enterprise Server Management console or BlackBerry Manager
2. Select the BlackBerry Enterprise Server name, then right-click a BlackBerry device user name.
3. Click Properties.
4. On the IT Admin tab, click Resend policy.
5. Click Apply, then click OK.

BlackBerry Enterprise Server software version 4.1

1. In BlackBerry Manager, select the BlackBerry Enterprise Server name.
2. Select a BlackBerry device user, then click the question mark ( ? ) symbol beside IT Admin.
3. From the menu that appears, you can resend the IT policy or assign an IT policy to a BlackBerry device user.
4. Click OK.

Related Posts:

• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• March’s Patch Tuesday
• Press F1 for Help, pwned.
• First Patch Tuesday of 2010

A new zero-day vulnerability in Adobe Reader and Acrobat 9.1.3 has been identified by Chia-Ching Fang and the Taiwanese Information and Communication Security Technology Service Center that allows an attacker to remotely execute arbitrary code. The attack is seeded by providing via e-mail or download a specially crafted PDF file which in current examples will then drop a malware executable as well as an unaffected pdf file. McAfee is identifying this under Exploit-PDF.m, and has a signature for a specific Trojan already identified. This is the fourth PDF related zero-day attack of 2009, and a further incentive for enterprises to bring patching of applications in line with processes for operating system patching.

The crafted PDF file contains a Javascript which is used to execute arbitrary code via a technique known as heap spraying. The initial shell code jumps program execution to a second shell code, which in turn executes a malicious file that creates a backdoor (remote access to the infected computer). Trend Micro is identifying this malware as a Protux variant. Protux backdoors provide user level access to the machine and have been associated as the payloads of Microsoft Office (Word, PowerPoint, Excel, Access) as well as previous Adobe Reader exploits. The Protux family of Trojans has been around since at least 2007.

The identification of this exploit has prompted Adobe to announce release of a critical patch for release on Tuesday, October 13th. The company posted a security advisory yesterday, announcing plans to release the update to “resolve critical security issues”. The vulnerability is being exploited, although it is unclear how widespread the attacks are. Adobe asserts that the vulnerability is being exploited in “limited, targeted attacks” limited to Windows operating systems although the vulnerability itself also exists for other operating systems.

“There are reports that this issue is being exploited in the wild in limited targeted attacks”
– David Lenoe of Adobe

Vupen Security posted an advisory on the vulnerability (CVE-2009-3459) which states that the issue is an unspecified memory corruption error, which could be exploited allowing attackers to comprise a system remotely.

Workarounds

Disabling Javascript on Adobe Acrobat

Adobe notes that disabling Javascript mitigates against the specific exploit identified, although it would be possible to create a variant that does not rely on Javascript. To disable Javascript in Adobe Reader or Acrobat, select Edit > Preferences, select the JavaScript option on the left, and uncheck the Enable Acrobat JavaScript option as shown.

Uncheck to disable Acrobat JavaScript

Data Execution Prevention

Also, users with DEP enabled on Windows Vista or Windows 7 are protected from this exploit. Data Execution Prevention (DEP) performs additional checks on memory to help prevent malicious code from running, designed to prevent buffer overflow attacks. To enable DEP on Windows for all or individual programs, proceed to Control Panel -> System and Maintenance -> System, click on Advanced System Settings, under Performance click Settings, and finally under the Data Execution Prevention tab click Turn on DEP for all programs and services except those I select. If you can not find Acrobat in the list of programs, click Add and browse to the Acrobat executable (.exe) file and click Open. For more information on DEP settings, visit the Microsoft help page.

In Conclusion

In June Adobe moved to the same Tuesday patch management schedule that Microsoft and Oracle previously adopted. This latest zero-day exploit represents another opportunity to address an ongoing issue for organizations: that patch management must extend beyond just the operating system level. While enterprises focus on ensuring the latest Microsoft updates to the desktop and server environment, applications, such as Adobe Reader, fail to be a part of the the same rigorous patch management exercise.

Qualys demonstrated this problem when the first Adobe exploit was released this year in February, APSA09-01. While a fix was released on March 10th (demonstrated by the red line in their graph), by April 27th there was still no clear reduction in the number of vulnerable machines. A 30 day patch management cycle, including testing of the patch before full enterprise release, would have shown a steep drop off on or about April 10th:

Source: http://laws.qualys.com/lawsblog/2009/04/new-adobe-0-day-vulnerability.html

Related Posts:

• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• March’s Patch Tuesday
• Press F1 for Help, pwned.
• The “Aurora” IE Exploit Used Against Google in Action

Functional levels were first introduced when Active Directory made its appearance in Windows 2000 Server. They allowed you to run different versions of domain controllers in your environment, and when all the domain controllers were brought up to a certain version of Windows, you could raise the functional levels to gain the added features of that operating system version. Now that Windows 2008 R2 is released, it is unlikely that you will mass deploy this new operating system to your entire forest or domain. Instead, you’ll deploy a single domain controller and kick the tires, so to speak. The time will eventually come when you’ve upgraded every domain controller to R2, and at that point you can raise the functional level to 2008 R2 to take advantage of the new features.

Functional levels can be raised in domains or, as of Windows 2003 Server, in the forest, providing different features in each. They are differentiated by labeling them Domain Functional Level and Forest Functional Level.

What’s new in 2008 R2

Domain Functional Level

There are two features added when raising the domain functional level to 2008 R2. They are Authentication Mechanism Assurance and Automatic SPN Management.

Authentication mechanism assurance is meant for domains that utilize federation services (ADFS) or certificate-based authentication methods, such as smart card or token-based authentication. This mechanism adds information to the user’s kerberos token on the type of authentication used. This allows administrators to modify group membership based on how the user authenticates. For example, a user can have access to different resources if they log in with a certificate versus when they log in with just their username and password.

Automatic SPN management provides a method for managing service accounts for applications such as Exchange, SQL and IIS. In the past, regular domain accounts were used for these purposes, adding management headaches in terms of password management and service principle names (SPNs). This new feature provides the following benefits:

• A class of domain accounts can be used to manage and maintain services on local computers.
• Passwords for these accounts will be reset automatically.
• Do not have to complete complex SPN management tasks to use managed service accounts.
• Administrative tasks for managed service accounts can be delegated to non-administrators.

Forest Functional Level

There is one new feature in raising the forest functional level to Server 2008 R2, and it is long overdue. It is the Active Directory recycle bin. In the days of old, when an IT administrator or help desk operator accidentally deleted an OU filled with user or computer objects (this has happened more times than you would think), there would be a scramble to perform a restore. The delete replicates to all domain controllers, so an authoritative restore in Active Directory restore mode from a good backup using NTDSutil would be in order. With 2008 R2 forest functional level, a powershell cmd-let will undo this instantly.

Note that this feature is not enabled automatically when raising forest functional level. Additionally, you must run the following command in the Active Directory Module for Powershell.

Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory
Service,CN=Windows NT,CN=Services,CN=Configuration, DC=mydomain,DC=com’
–Scope ForestOrConfigurationSet –Target ‘mydomain.com’

Functional levels of previous version

The following are the previous functional levels and what features they added, as documented in Technet.

Domain Functional Levels:

Windows 2000 Native:

• Universal groups are enabled for both distribution groups and security groups.
• Group nesting.
• Group conversion is enabled, which makes conversion between security groups and distribution groups possible.
• Security identifier (SID) history.

Windows Server 2003

• The availability of the domain management tool, Netdom.exe, to prepare for domain controller rename.
• Update of the logon time stamp. The lastLogonTimestamp attribute will be updated with the last logon time of the user or computer. This attribute is replicated within the domain.
• The ability to set the userPassword attribute as the effective password on inetOrgPerson and user objects.
• The ability to redirect Users and Computers containers. By default, two well-known containers are provided for housing computer and user/group accounts: namely, cn=Computers, and cn=Users,. This feature makes possible the definition of a new well-known location for these accounts.
• Makes it possible for Authorization Manager to store its authorization policies in Active Directory Domain Services (AD DS).
• Includes constrained delegation so that applications can take advantage of the secure delegation of user credentials by means of the Kerberos authentication protocol. Delegation can be configured to be allowed only to specific destination services.
• Supports selective authentication, through which it is possible to specify the users and groups from a trusted forest who are allowed to authenticate to resource servers in a trusting forest.

Windows Server 2008

• Distributed File System (DFS) Replication support for SYSVOL, which provides more robust and detailed replication of SYSVOL contents.
• Advanced Encryption Services (AES 128 and 256) support for the Kerberos authentication protocol.
• Last Interactive Logon Information, which displays the time of the last successful interactive logon for a user, from what workstation, and the number of failed logon attempts since the last logon.
• Fine-grained password policies (FGPP), which make it possible for password and account lockout policies to be specified for users and global security groups in a domain.

Forest Functional Levels:

Windows 2000:

There were no forest functional levels, just domain.

Windows Server 2003:

• Forest trust.
• Domain rename.
• Linked-value replication (changes in group membership store and replicate values for individual members instead of replicating the entire membership as a single unit). This change results in lower network bandwidth and processor usage during replication and eliminates the possibility of lost updates when different members are added or removed concurrently at different domain controllers.
• The ability to deploy a read-only domain controller (RODC) that runs Windows Server 2008.
• Improved Knowledge Consistency Checker (KCC) algorithms and scalability. The Intersite Topology Generator (ISTG) uses improved algorithms that scale to support forests with a greater number of sites than can be supported at the Windows 2000 forest functional level. The improved ISTG election algorithm is a less intrusive mechanism for choosing the ISTG at the Windows 2000 forest functional level.
• An improved ISTG algorithm (better scaling of the algorithm that the ISTG uses to connect all sites in the forest).
• The ability to create instances of the dynamic auxiliary class called dynamicObject in a domain directory partition.
• The ability to convert an inetOrgPerson object instance into a User object instance, and the reverse.
• The ability to create instances of the new group types, called application basic groups and Lightweight Directory Access Protocol (LDAP) query groups, to support role-based authorization.
• Deactivation and redefinition of attributes and classes in the schema.

Windows Server 2008:

No forest functional level changes occurred from Windows 2003 to Windows 2008.

Related Posts:

• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• March’s Patch Tuesday
• Press F1 for Help, pwned.
• Using Group Policy to Disable JavaScript in Adobe PDF Files

This article is not just for the CLI fans like me, who snicker when forced to grab at the mouse for tasks they much prefer taking on in that wonderful black box with the blinking cursor; but for anyone who will deploy a core installation of Windows. This is not an anti-GUI rant, but a look into the CLI, and one that is much needed after Microsoft released Windows 2008 Server Core Edition.

Microsoft started to return CLI tools back to administrators in Windows 2000 when they released netsh.exe. More and more CLI options surfaced with releases of Support Tools, Resource Kits, and the popular PS suite from SysInternals (now Microsoft). The most recent evidence of the resurgence of the CLI is Windows 2008 Server Core Edition. This version is entirely driven with the command line interface.

The following roles are supported in a core installation:

• Active Directory Certificate Services
• Active Directory Domain Services
• Active Directory Lightweight Directory Services (AD LDS)
• DHCP Server
• DNS Server
• File Services (including File Server Resource Manager)
• Hyper-V
• Print and Document Services
• Web Server (including a subset of ASP.NET)

Why choose core over a standard installation? A core setup will only install the binaries needed by the server roles. Microsoft claims that if Windows 2000 Server had a core edition, it would have had a 60% reduction in patches (40% in Windows 2003). This is a considerable amount of patches for critical servers such as domain controllers.

So let’s get started with some administration tasks in Windows 2008 Server Core Edition: getting things up and running, configuring roles, promoting to a domain controller, and essentially running a version of Microsoft’s OS that does not include explorer.exe. (What? No Desktop?)

The following commands were executed on an installation of Microsoft Windows 2008 Server Core Standard R2. For those who don’t have the time to muck with the CLI, R2 has included a new VBScript (sconfig.vbs) which provides a menu driven server configuration tool to quickly get through these steps. However, I recommend doing it the long way at least once to understand what’s happening in case you run into issues in the future. The install is straightforward, so details not needed. Most important is the option of which version of the OS to install, which I selected Windows 2008 R2 Standard (Server Core Installation). After a dialog to set the administrator password, I’m left with a DOS prompt.

GETTING STARTED

First things first, IP connectivity. I’ll be using 192.168.1.0/24 for the network:

Note: netsh.exe allows you to add all the options/parameters in one line, or you can run netsh.exe and go into each configuration category, (ie. interface), then eventually when deep enough into the options, execute the command, (ie. set). To keep it simple, I’ll write out the commands in single lines, but definitely run netsh.exe with no options and look into the many configuration areas available.

Let’s list available network interfaces to see which one we need to configure:

netsh interface ipv4 show interfaces

Result:

  Idx     Met        MTU           State                Name
  –--  ----------  ----------  ------------  ---------------------------
    3           5        1500  connected     Local Area Connection
    1          50  4294967295  connected     Loopback Pseudo-Interface 1

netsh int ipv4 set address name=3 source=static address=192.168.1.25 mask=255.255.255.0 gateway=192.168.1.1

Note the name=3 parameter; 3 was the IDX number retrieved in the previous step. You will not get a resulting output, but you can double check your settings by running ipconfig /all.

Next step is to add DNS servers for name resolution. If this will be the first Domain Controller in the Forest and will run DNS, you can skip this, otherwise, add your DNS servers now (the example assumes DNS servers 192.168.1.20 and 192.168.1.21):

netsh interface ipv4 add dnsserver name=3 address=192.168.1.20 index=1

add a secondary dns server:

netsh interface ipv4 add dnsserver name=3 address=192.168.1.21 index=2

Note that we used the name=3 parameter again to add these DNS entries to the network interface we are interested in. Once again, you can double check your settings with ipconfig /all.

Now we have connectivity. Let’s rename the computer and join a domain. Windows had assigned a random computer name, you can see what it is by typing hostname. Mine happened to be WIN-EPNB8G5FAUI. Let’s rename this to CORE-DEV:

netdom renamecomputer %COMPUTERNAME% /NewName:CORE:DEV

You will be warned about the potential hazards of renaming the computer, not our concern since this is a brand new installation. Proceed, and you will have the following results:

The computer needs to be restarted in order to complete the operation.

The command completed successfully.

Restart the computer by typing: shutdown /r /t 001

After restarting, log back in, and let’s join a domain. Our test domain is called testdom.local. We will use an account called admin to join the domain:

netdom join CORE-DEV /domain:testdom.local /userd:testdom\admin /passwordd:*

The * for the password option will prompt you for the password. A reboot is again required.

Now you can log in with a domain account by choosing other user, then typing domain\user for the user.

ACTIVATION

Now, let’s activate Windows. In R2, you enter the license key with slmgr.vbs (prior to R2, the installation setup prompted for the license key).

slmgr.vbs –ipk ABCDE-FGHIJ-KLMNO-PQRST-UVWXY

Next, activate:

slmgr.vbs -ato

If successful, you will not receive any messages back.

CONFIGURING AUTOMATIC UPDATES

I recommend controlling the behavior of automatic updates with Group Policy, but if you need to toggle the settings, here are the commands:

To verify the current setting:

cscript scregedit.wsf /AU /v

To enable automatic updates:

cscript scregedit.wsf /AU 4

To disable automatic updates:

cscript scregedit.wsf /AU 1

To check for updates:

wuauclt /detectnow

FIREWALL

Let’s take a look at the firewall now, since we will want to open up some rules to perform remote administrations tasks, such as using Remote Desktop or MMC tools to manage the server.

We can take a look at the firewall profiles by typing:

netsh advfirewall show allprofiles

If you have a domain profile applied via GPO, then those will apply. You can also look at all the rules by typing:

netsh advfirewall firewall show rule name=all

That command will display quite a bit of information. I like to output it to a text file and view it with notepad.

Now, let’s make some changes to allow remote connections to the server. Here, I don’t exactly follow the steps documented in Technet or most web sources since the commands documented will open up the ports and allow any source address. Here, we open Remote Desktop (TCP-3389) only to our subnet.

netsh advfirewall firewall set rule name="Remote Desktop (TCP-In)" new remoteip=192.168.1.0/24

This changes the firewall RDP rule to allow our subnet only. The default rule is Any. Now, let’s go ahead and enable this rule:

netsh advfirewall firewall set rule name="Remote Desktop (TCP-In)" new enable=yes

The firewall is now open for RDP connections from our internal subnet, but we still have to enable Remote Desktop:

cscript %windir%\system32\SCRegEdit.wsf /ar 0

Now you could Remote Desktop to the server. Of course you will only get a command prompt when you do.

Next, we’ll open up some rules to allow remote management using the MMC. This will allow using Computer Management, Shared Folders, Event Viewer, and other important snap-ins to manage your server. The process is the same as it was opening the Remote Desktop rule, but the rule names are different:

netsh advfirewall firewall set rule name="Remote Administration (NP-In)" new remoteip=192.168.1.0/24
netsh advfirewall firewall set rule name="Remote Administration (NP-In)" new enable=yes
netsh advfirewall firewall set rule name="Remote Administration (RPC)" new remoteip=192.168.1.0/24
netsh advfirewall firewall set rule name="Remote Administration (RPC)" new enable=yes
netsh advfirewall firewall set rule name="Remote Administration (RPC-EPMAP)" new remoteip=192.168.1.0/24
netsh advfirewall firewall set rule name="Remote Administration (RPC-EPMAP)" new enable=yes

These three rules are in a group called “Remote Administration” and if you are not concerned about modifying the rules so that only the specific subnet is allowed, you can modify enable the group as-is which will allow connections from any IP:

netsh advfirewall firewall set rule group="Remote Administration" new enable=yes

CONFIGURING ROLES

There are two commands to use when dealing with server roles: oclist and ocsetup. Later, we will look at the new dism.exe If you type oclist, you will get a list of all the roles and their optional components. The list is pretty lengthy, so I like to use the find command to narrow my results. For example, if we wanted to add the DHCP server role, I would check for the precise name of the role by typing:

oclist | find /i "dhcp"

Results:

Not Installed: DHCPServerCore

Now I know the role name is specifically DHCPServerCore and that it is in fact not installed. So, we install the role by typing:

ocsetup DHCPServerCore

Note that the above server role IS case sensitive. If I use oclist again to check for DHCP, I now see the following:

oclist | find /i "dhcp"

Results:

Installed: DHCPServerCore

If I wanted to remove the role, I’d use the uninstall switch with ocsetup:

ocsetup DHCPServerCore /uninstall

Pretty straight forward. Now, with R2, there is a new CLI tool called dism.exe. This tool can also configure server roles, but it does much more. For now, we will use it to configure roles like we did with ocsetup/oclist.

To get a list of roles (called features in dism):

dism /online /get-features

Let’s add that DHCPServerCore feature using dism:

dism /online /enable-feature /featurename:DHCPServerCore

And then to remove it:

dism /online /disable-feature /featurename:DHCPServerCore

So, what is the big deal? Same results as ocsetup, but, dism will replace it because it goes further than just toggling features. It will service WIM and VHD image files, allowing add/remove of drivers and features, especially useful if your server has the role of deploying images or runs Hyper-V.

PROMOTING TO A DC

dcpromo is still the way to handle promoting and demoting domain controllers, but in a Server Core installation, there is no GUI wizard that comes along with it. Instead, you use an answer file with the command to instruct how to promote your DC. The syntax to this is:

dcpromo /unattend:c:\temp\answerfile.ini

I like to use ini for my answer file extension, but that’s a personal preference. Here are two examples of answer files to us with dcpromo:

To create the very first DC in a Forest:

[DCInstall]
ReplicaOrNewDomain=Domain
Installdns=Yes
confirmgc=yes
domainlevel=4
domainnetbiosname=TESTDOM
forestlevel=4
newdomain=forest
newdomaindnsname=testdom.local
safemodeadminpassword=password123

To add a replica domain controller in an existing domain:

[DCInstall]
ReplicaOrNewDomain=Replica
ReplicaDomainDNSName=testdom.int
Installdns=Yes
confirmgc=yes
safemodeadminpassword=password123

MORE IN THE CLI

Now you have a fully functioning server, are able to manage it with your MMC, and can connect via Remote Desktop. Although there are hundreds of commands you can use in the CLI, one that can do an enormous amount of tasks is wmic.exe. WMIC is a tool with hundreds of options for WMI. You can do just about anything here. A few examples:

wmic useraccount list
wmic process list
wmic share list

The above examples are all very simple queries for information. You can also use wmic to add and modify (ie. not just list shares, but create or change them). To see a full list of options: wmic /?

POWERSHELL

Powershell is now included with R2 and you can enable it just like any other feature. Powershell provides a shell and scripting language which will open up a world of options for administrating your Windows environment. What gives this shell its power is that it accepts and returns .NET objects. Instead of getting stdout, you can get an object and then perform actions with that object or get its properties. With a couple of lines of script code, you can pull all users from an OU and set their description field, or check when the passwords were last set. That is just one simple example working with objects using the DirectoryServices interface, and there are many others.

CONCLUSION

It is nice to see that the command line has made a return in the Windows world. If you’re unlike me, who typically has five or six command prompts open during a regular day, don’t be intimidated by it. Server Core can be a lean, secure, and well-managed option in your environment. It may take a little time getting used to not reaching for the mouse and clicking on the start button, but at the end of the day you will have that extra bit of satisfaction knowing exactly what occurred without a GUI keeping the details behind the scenes.

References:

• Real Men Don’t Click–The Project: http://isg.ee.ethz.ch/tools/realmen/
• Server Core Installation: http://technet.microsoft.com/en-us/library/cc753802(WS.10).aspx
• Using DISM: http://www.windowsnetworking.com/articles_tutorials/Deploying-Windows-7-Part2.html
• DISM Command Line Options: http://technet.microsoft.com/en-us/library/dd772580(WS.10).aspx
• WMIC: http://technet.microsoft.com/en-us/library/bb742610.aspx
• Powershell: http://www.microsoft.com/windowsserver2003/technologies/management/powershell/default.mspx
• Windows 2008 Command Line List (A-Z): http://technet.microsoft.com/en-us/library/cc772390(WS.10).aspx

Related Posts:

• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• March’s Patch Tuesday
• Press F1 for Help, pwned.
• The “Aurora” IE Exploit Used Against Google in Action

This information can be handy for several reasons:

• An interface running in promiscuous mode may be due to the user running network sniffer such as Wireshark.
• An interface running in promiscuous mode may be due to the user running virtualization software, such as Virtual PC.
• An interface running in promiscuous mode may be due to malicious code.

I definitely want to know if users are running network sniffers, or virtualization software (likely the guests are not licensed or managed causing rogue workstations in the environment). Of course any potential activity that may be caused by malware or malicious code is a concern as well.

You could very easily download promqry and run a for loop against your machines. I wanted to use WMI for this task instead and rather than a text file, use the directoryservices object to query my AD for computers.

I couldn’t find any property in Win32_NetworkAdapterConfiguration to check for this, but I found this post on promqry which tracked down the WMI classes it uses. That led me in the right direction. The other key to this is what MSNdis_CurrentPacketFilter returns. Microsoft documents this here and we are checking if the NDIS_PACKET_TYPE_PROMISCUOUS bit is enabled.

Below is a quick Powershell script which will grab computer objects from AD, then use WMI and the MSNdis_CurrentPacketFilter class to check for promiscuous mode. You can incorporate this WMI query with Win32_NetworkAdapterConfiguration and get a better picture of the interface network settings:

$ErrorActionPreference = "SilentlyContinue"


$PingTest = New-Object System.Net.NetworkInformation.Ping
$Filter = "(&(ObjectCategory=computer))"
$Searcher = New-Object System.DirectoryServices.DirectorySearcher($Filter)
ForEach ($comp in $Searcher.Findall()) {
    $strComputer = $comp.properties.item("Name")
    write-host "Checking: $strComputer"
    if ($PingTest.Send($strComputer).Status -eq "Success") {
        $colComputer = get-wmiObject -class "MSNdis_CurrentPacketFilter" -namespace "root\WMI" -comp $strComputer
        if ($colComputer -eq $null) {
            write-host "Couldn't connect to WMI" }
        else {
            foreach ($comp in $colcomputer) {
                $val = $comp.NdisCurrentPacketFilter
                if ($val -band 0x00000020) {
                    $inst = $comp.InstanceName
                    write-host "Interface: $inst"
                    write-host "The NDIS_PACKET_TYPE_PROMISCUOUS value is set" -foregroundcolor red -backgroundcolor yellow
                }
            }
        }
    }
    else { write-host "Could not ping, machine not queried." }
}

The following screenshot shows the results. I don’t like waiting for RPC to time out when the machine is off or not reachable, so a quick ping check before querying WMI speeds things up. Also, when an interface has the bit set, the output is highlighted with red text and a yellow foreground. You could wrap an email function and schedule this so that you are alerted when it comes up.

You will need proper access to the workstations to query root\WMI so when you run this in a domain, your account should have local administrator privileges to the computers it will query. If it doesn’t, the command will return “Couldn’t connect to WMI”.

Finally, if you haven’t looked at the MSNdis class yet, I suggest taking a look, especially at MSNdis_80211 which will query various wireless information that may be of interest. There isn’t a whole lot of documentation on it, so I’ll work on getting some details together and maybe draft a Powershell script to find wireless adapters and networks they are connected to or available networks close enough to connect to. Until then, enjoy finding those promiscuous mode adapters in your domain.

Related Posts:

• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• March’s Patch Tuesday
• Press F1 for Help, pwned.
• First Patch Tuesday of 2010

Unless you have invested in an enterprise solution for tasks, you are using Windows Task Scheduler and have the tools included with the Windows OS to do the trick. This article is to point out two major snafus you may come across when attempting to manage scheduled tasks across your environment:

1. Using WMI class versus the task scheduler API and what effects it has.

2. New versions in Vista / Windows 7 / Windows 2008 that do not work with XP / 2003.

The first item is more for those who attempt scripting and programming to manage the tasks across machines in the environment. WMI has a class called Win32_Scheduledjob which does quite a bit for managing tasks. However, any tasks created with or modified by the task scheduler API  (such as through the task scheduler GUI or schtasks.exe) will cause the tasks to no longer be managed by WMI. For example, if you create a task using schtasks.exe, this tasks will not be returned in a WMI query; or, if you create a task using WMI, but then modify it with the task scheduler GUI, it will also no longer turn up in WMI. 

So, Win32_Schedulejob is not a great option and we go about our business using the GUI and schdtasks.exe. We move on to our second issue, which is the backwards incompatibility for those using Vista, Windows 7 or Windows 2008. For example, from my Windows 7 workstation, if I use schtasks.exe or the Task Schedule MMC snap-in, I can query, manipulate, create tasks on Vista, Windows 7 or Windows 2008. When I attempt to reach a Windows XP or Windows 2003 machine, I get Access Denied. Running the older XP version of schtasks.exe did not return errors when run against any version OS. This is painful. The solution is to run the management commands from an XP or 2003 machine, or to copy the schtasks.exe and schedsvc.dll files from those version into a directory on your Vista / Win7 machine and run it from there. See this screenshot using both versions of the tool from my  Windows 7 workstation, querying a Windows XP machine. I printed the file version each time to show the newer copy fails with Access is Denied.

  You may very well have proper access, but this Access Denied means you have a newer version of the tool.

This Technet article explains what is new in Task Scheduler 2.0 (Vista and above) compared to 1.0. There are many new features, but I would have liked to have a schtasks.exe and a MMC snap-in that was backwards compatible to manage older versions.

One last note is that .job files from XP/2003 are not compatible with the newer Task Scheduler 2.0 (xml format). I’ve seen that folks used the older schtasks.exe to dump the task information in table format, than use Excel to properly edit it to the valid xml format.

Related Posts:

• March’s Patch Tuesday
• Regular or Decaf? Tool launched to combat COFEE
• Six Bulletins in Last Patch Tuesday of 2009
• OSSEC: Agentless…It’s good, but not good enough
• OSSEC: Agentless scripts

Related Posts:

• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• March’s Patch Tuesday
• Press F1 for Help, pwned.
• First Patch Tuesday of 2010