View Issue Details

IDProjectCategoryView StatusLast Update
0005107Kali Linux[All Projects] Tool Upgradepublic2018-11-26 10:04
ReportertmpsamAssigned Tosbrun 
PrioritynormalSeverityminorReproducibilityhave not tried
Status assignedResolutionopen 
Product Version2018.4 
Target VersionFixed in Version 
Summary0005107: [Security] CrackMapExec 3.1.5 - SAM temporary file not deleted
DescriptionAll versions of CME < 4.0 are buggy, leave an export of the Windows SAM/LSASecrets registry keys in the following folder: %windir%\system32\********.tmp and put a weak DACL.

This security issue is reproductible when the following options are specified : --sam, --lsa and --ntds.

It gives a local user the opportunity to obtain the LM:NT hashes of the local Administrator account (RID 500) and can be used for privilege escalation or lateral movement.

The vulnerable code is in the __retrieveHive function:
[...]
tmpFileName = ''.join([random.choice(string.letters) for _ in range(8)]) + '.tmp'
[...]
rrp.hBaseRegSaveKey(self.__rrp, keyHandle, tmpFileName)
[...]
remoteFileName = RemoteFile(self.__smbConnection, 'SYSTEM32\\'+tmpFileName)
return remoteFileName
[...]

The tmpFileName is never removed.

Please upgrade a CrackMapExec release 4.0.

ʕ•̫͡•ʔ ʕ•̫͡•ʔ ʕ•̫͡•ʔ
--
tmpsam

Activities

sbrun

sbrun

2018-11-26 10:04

manager   ~0010000

upstream issue: https://github.com/byt3bl33d3r/CrackMapExec/issues/279
There is no upstream release 4.0
We will update the package when upstream will release a new version.

Issue History

Date Modified Username Field Change
2018-11-19 14:01 tmpsam New Issue
2018-11-19 14:01 tmpsam Status new => assigned
2018-11-19 14:01 tmpsam Assigned To => sbrun
2018-11-26 10:04 sbrun Note Added: 0010000