View Issue Details

IDProjectCategoryView StatusLast Update
0005107Kali Linux[All Projects] Tool Upgrade Requestpublic2020-02-19 13:24
Reportertmpsam Assigned To 
PrioritynormalSeverityminorReproducibilityhave not tried
Status assignedResolutionopen 
Product Version2018.4 
Target VersionFixed in Version 
Summary0005107: [Security] CrackMapExec 3.1.5 - SAM temporary file not deleted
DescriptionAll versions of CME < 4.0 are buggy, leave an export of the Windows SAM/LSASecrets registry keys in the following folder: %windir%\system32\********.tmp and put a weak DACL.

This security issue is reproductible when the following options are specified : --sam, --lsa and --ntds.

It gives a local user the opportunity to obtain the LM:NT hashes of the local Administrator account (RID 500) and can be used for privilege escalation or lateral movement.

The vulnerable code is in the __retrieveHive function:
tmpFileName = ''.join([random.choice(string.letters) for _ in range(8)]) + '.tmp'
rrp.hBaseRegSaveKey(self.__rrp, keyHandle, tmpFileName)
remoteFileName = RemoteFile(self.__smbConnection, 'SYSTEM32\\'+tmpFileName)
return remoteFileName

The tmpFileName is never removed.

Please upgrade a CrackMapExec release 4.0.

ʕ•̫͡•ʔ ʕ•̫͡•ʔ ʕ•̫͡•ʔ



2018-11-26 10:04

manager   ~0010000

upstream issue:
There is no upstream release 4.0
We will update the package when upstream will release a new version.

Issue History

Date Modified Username Field Change
2018-11-19 14:01 tmpsam New Issue
2018-11-19 14:01 tmpsam Status new => assigned
2018-11-19 14:01 tmpsam Assigned To => sbrun
2018-11-26 10:04 sbrun Note Added: 0010000
2020-02-19 13:24 sbrun Assigned To sbrun =>
2021-05-31 13:37 rhertzog Category Tool Upgrade => Tool Upgrade Request