View Issue Details

IDProjectCategoryView StatusLast Update
0005107Kali LinuxTool Upgrade Requestpublic2020-02-19 13:24
Reportertmpsam Assigned To 
PrioritynormalSeverityminorReproducibilityhave not tried
Status assignedResolutionopen 
Product Version2018.4 
Summary0005107: [Security] CrackMapExec 3.1.5 - SAM temporary file not deleted
Description

All versions of CME < 4.0 are buggy, leave an export of the Windows SAM/LSASecrets registry keys in the following folder: %windir%\system32****.tmp and put a weak DACL.

This security issue is reproductible when the following options are specified : --sam, --lsa and --ntds.

It gives a local user the opportunity to obtain the LM:NT hashes of the local Administrator account (RID 500) and can be used for privilege escalation or lateral movement.

The vulnerable code is in the _retrieveHive function:
[...]
tmpFileName = ''.join([random.choice(string.letters) for
in range(8)]) + '.tmp'
[...]
rrp.hBaseRegSaveKey(self.rrp, keyHandle, tmpFileName)
[...]
remoteFileName = RemoteFile(self.
smbConnection, 'SYSTEM32\'+tmpFileName)
return remoteFileName
[...]

The tmpFileName is never removed.

Please upgrade a CrackMapExec release 4.0.

ʕ•̫͡•ʔ ʕ•̫͡•ʔ ʕ•̫͡•ʔ
--
tmpsam

Activities

sbrun

sbrun

2018-11-26 10:04

manager   ~0010000

upstream issue: https://github.com/byt3bl33d3r/CrackMapExec/issues/279
There is no upstream release 4.0
We will update the package when upstream will release a new version.

Issue History

Date Modified Username Field Change
2018-11-19 14:01 tmpsam New Issue
2018-11-19 14:01 tmpsam Status new => assigned
2018-11-19 14:01 tmpsam Assigned To => sbrun
2018-11-26 10:04 sbrun Note Added: 0010000
2020-02-19 13:24 sbrun Assigned To sbrun =>
2021-05-31 13:37 rhertzog Category Tool Upgrade => Tool Upgrade Request