0005107: [Security] CrackMapExec 3.1.5 - SAM temporary file not deleted

ID	Project	Category	View Status	Date Submitted	Last Update

0005107	Kali Linux	Tool Upgrade Request	public	2018-11-19 14:01	2020-02-19 13:24

Reporter	tmpsam	Assigned To
Priority	normal	Severity	minor	Reproducibility	have not tried
Status	assigned	Resolution	open
Product Version	2018.4

Summary	0005107: [Security] CrackMapExec 3.1.5 - SAM temporary file not deleted
Description	All versions of CME < 4.0 are buggy, leave an export of the Windows SAM/LSASecrets registry keys in the following folder: %windir%\system32****.tmp and put a weak DACL. This security issue is reproductible when the following options are specified : --sam, --lsa and --ntds. It gives a local user the opportunity to obtain the LM:NT hashes of the local Administrator account (RID 500) and can be used for privilege escalation or lateral movement. The vulnerable code is in the _retrieveHive function: [...] tmpFileName = ''.join([random.choice(string.letters) for in range(8)]) + '.tmp' [...] rrp.hBaseRegSaveKey(self.rrp, keyHandle, tmpFileName) [...] remoteFileName = RemoteFile(self.smbConnection, 'SYSTEM32\'+tmpFileName) return remoteFileName [...] The tmpFileName is never removed. Please upgrade a CrackMapExec release 4.0. ʕ•̫͡•ʔ ʕ•̫͡•ʔ ʕ•̫͡•ʔ -- tmpsam

Date Modified	Username	Field	Change
2018-11-19 14:01	tmpsam	New Issue
2018-11-19 14:01	tmpsam	Status	new => assigned
2018-11-19 14:01	tmpsam	Assigned To	=> sbrun
2018-11-26 10:04	sbrun	Note Added: 0010000
2020-02-19 13:24	sbrun	Assigned To	sbrun =>
2021-05-31 13:37	rhertzog	Category	Tool Upgrade => Tool Upgrade Request

sbrun 2018-11-26 10:04 manager ~0010000	upstream issue: https://github.com/byt3bl33d3r/CrackMapExec/issues/279 There is no upstream release 4.0 We will update the package when upstream will release a new version.