5357 Hacktricks

0 views
Skip to first unread message

Marion Georgi

unread,
Aug 3, 2024, 4:28:35 PM8/3/24
to guanlenslacta

MS09-063 addresses a critical vulnerability (CVE-2009-2512) in the Web Services on Devices (WSD) API. Web Services on Devices allows a computer to discover and access a remote device and its associated services across a network. It supports device discovery, description, control, and eventing.

The WSD API functionality is implemented in the WSDApi.dll module in Windows, and is used by several services and applications. The API is also documented on MSDN for 3rd party developers to use. Therefore, a comprehensive list of services and application that are vulnerable to this issue is hard to define, but here are some examples:

A long header value within a WSD message can lead to stack corruption within the process hosting WSDApi.dll. This can cause the service or application to crash, or could lead to Remote Code Execution. To be clear, the vulnerability is in the Windows module used to interact with devices that support Web Services on Devices, and does not affect the devices themselves.

Only systems with the WSD TCP ports active and listening are vulnerable to the most likely attack vector. Whether a system has WSD ports active and listening depends on the system configuration and applications that are installed.

By default, WSDAPI will listen on TCP ports 5357 and 5358. The Windows Firewall will allow messages in to these ports if the interface firewall profile is anything other than Public. This means under non-Public profiles (e.g. Private or Domain) the vulnerability can be reached by remote, unauthenticated users.

For an attacker to be able to trigger the vulnerability on a target, they need to know the WSD Address value for the target, which is a UUID (Universally Unique Identifier). This value is automatically sent in broadcast UDP messages to port 3702 (WS-Discovery) in an effort to discover devices that support WSD. Being broadcast UDP the message will only be visible to attackers on the same subnet. Attackers on other subnets, or on the Internet, will not be able to launch attacks against distant targets using this approach.

A system could also be exploited by a malicious device which responds to a client computer using WSDAPI. It is possible for the user to manually enter the URL of a device to connect to, in which case the device could respond with a malformed message and trigger the vulnerability. This requires user-interaction and social engineering, however.

Recently, I encountered persistent crashes while running ZAP 2.15 on macOS. The issue seemed to stem from the bundled Java version. After some debugging and testing, I found a solution by downgrading the bundled Java version in ZAP.

Today, I write a post about how to use ZAP HUD in an engaging manner. While ZAP HUD may not have incredibly useful features at the moment, experimenting with it could be worthwhile since it has the potential to bring about changes in the analytical approach.

Hi hackers and bugbounty hunters :DToday, I talk about building a github-action-based ZAP scanning environment. As you know, there is no time limit for public repo, so you can configure a cloud-based vulnerability scanner for free ?

After the HTTP Desync Attack announcement, the bugbounty hunters and corporate security personnel seem to be very busy. Albino recently announced that he would be writing additional articles, and new post were posted on the portswigger blog.

Some event handlers do not appear in the OWASP list.It is a touch event like ontouch*. It is a limited item on mobile devices, so it has a less effective effect than general purpose, but it is a good item to trigger XSS.

When I work for a company or bug bounty, the unexpected hurdle is a protection(xss filter) of special char in the JS(Javascript) area. So I am devising a way to easily solve these problems, and one of the processes is this document.

HAHWUL auxiliary(vnc_login) > db_nmap -PN 192.168.56.101[] Nmap: Starting Nmap 7.01 ( ) at 2017-08-07 15:17 KST[] Nmap: Nmap scan report for 192.168.56.101[] Nmap: Host is up (0.00072s latency).[] Nmap: Not shown: 983 closed ports[] Nmap: PORT STATE SERVICE[] Nmap: 80/tcp open http[] Nmap: 135/tcp open msrpc[] Nmap: 139/tcp open netbios-ssn[] Nmap: 443/tcp open https[] Nmap: 445/tcp open microsoft-ds[] Nmap: 554/tcp open rtsp[] Nmap: 2869/tcp open icslap[] Nmap: 5357/tcp open wsdapi[] Nmap: 5500/tcp open hotline[] Nmap: 5800/tcp open vnc-http[] Nmap: 5900/tcp open vnc..snip..

c80f0f1006
Reply all
Reply to author
Forward
0 new messages