Send e-mail to ACROS SecurityACROS Security's public PGP key  
     
Binary Planting Home > Online Binary Planting Exposure Tests > Test #4

Online Binary Planting Exposure Test #4


Operating Systems
  • Windows 7 (32 and 64 bit)
  • Windows Vista (32 and 64 bit)

Vulnerable Products
  • Microsoft Management Console

Test Procedure

  1. On a Windows Vista or Windows 7 computer, launch Microsoft Management Console by clicking the Start button, typing "mmc" into the "Search programs and files" field and pressing "Enter".

  2. (If the User Account Control dialog prompts you if "you want to allow the following program to make changes to your computer", click "Yes".)

  3. Open the "Open" dialog in Microsoft Management Console (e.g., by pressing Ctrl+O or via File -> Open...)

  4. Copy the following location to the "Open" dialog's "File name" field, press Enter and wait up to 30 seconds. Important: If you're running a 64-bit system and the test fails, also try the 32-bit location.

    32-bit location: \\www.binaryplanting.com\demo\microsoft_management_console
    64-bit location: \\www.binaryplanting.com\demo\microsoft_management_console_64

  5. At this point, one of the following is likely to happen:
    1. Microsoft Management Console's "Open" dialog displays the content of the remote folder as shown below.



    2. Or, some error message pops up describing that the remote folder could not be found or displayed.
    3. Or, nothing happens.

  6. In case Microsoft Management Console's "Open" dialog hasn't shown the content of the remote folder, and you either got an error message or no response at all, first try again a few times, then try with a freshly opened Microsoft Management Console, then log off and log on again, and finally restart your computer and retry. If all these attempts fail to display the content of the remote folder, the test is over and you can skip to the results

  7. If, however, Microsoft Management Console's "Open" dialog has displayed the content of the remote folder, select the file demo.msc and click "Open". Event Viewer is launched.

  8. In Event Viewer, open the Help Topics via menu: Help -> Help Topics. If this results in a "HACKED" dialog popping up like the one shown below, you are currently exposed to binary planting attacks originating from the Internet (see the results).



    If, on the other hand, double-clicking on the file doesn't launch a "HACKED" dialog, retry a couple of times. If this fails to produce a "HACKED" dialog, the test is over and you can continue to the results.


Test Results

As a result of the above test, one of the following has happened. Find your own result in the table below and read the diagnosis of your exposure.

Your result Diagnosis
Microsoft Management Console's "Open" dialog hasn't displayed the content of the remote shared folder. If all your attempts to see the content of our shared folder failed, the reason is likely one or more of the following:
  1. WebDAV communication between your computer and our server is being blocked either by your network or personal firewall. If this is the case, you are probably not exposed to binary planting attacks originating from the Internet. Note that you may still be exposed to binary planting attacks originating from your local network, and even from the Internet if you connect your computer to another network, such as to a wireless network on a business trip.
  2. Your Web Client service is not running. (This service is running by default on Windows Workstations, but not on Windows servers.) If this is the case, you are probably not exposed to binary planting attacks originating from the Internet. Note that you may still be exposed to binary planting attacks originating from your local network, and even from the Internet if you connect your computer to another network, such as to a wireless network on a business trip.
  3. Your Windows system is not up-to-date. For instance, Vista used to have functional problems with accessing certain WebDAV shares and our shares seem to be of such type. Make sure to update your system with the latest updates, then redo the test.
Microsoft Management Console's "Open" dialog has displayed the content of the remote shared folder, but double-clicking on the file hasn't launched the "HACKED" dialog box. If opening the file from our server failed to launch the "HACKED" dialog, the reason is likely one of the following:
  1. The targeted vulnerability may have been fixed by the vendor. In this case, your exposure to binary planting attacks is unknown, although one of the many vulnerabilities has apparently been eliminated. You can try some other tests that we provide.
  2. Your network or personal firewall, while allowing browsing remote WebDAV shares, blocks the downloading of potentially dangerous binaries. If this is the case, you are probably not exposed to binary planting attacks originating from the Internet. Note that you may still be exposed to binary planting attacks originating from your local network, and even from the Internet if you connect your computer to another network, such as to a wireless network on a business trip.
  3. You have Microsoft's CWDIllegalInDllSearch hotfix installed and configured so as not to allow loading DLLs from remote WebDAV shares. If this is the case, you are probably not exposed to binary planting attacks originating from the Internet or from local shared folders.
Microsoft Management Console's "Open" dialog has displayed the content of the remote shared folder, and double-clicking on the file has launched the "HACKED" dialog box at least once. You are currently exposed to binary planting attacks originating from the Internet through at least one existing vulnerability. A remote attacker can exploit either the vulnerability in Microsoft Management Console used in this test, or any other similar vulnerability that may exist in applications installed on your computer. Furthermore, other computers in your network are also likely to be exposed as there seems to be no network-wide countermeasure in place.


For additional information, go to ACROS Security and ACROS Security Blog.

Please kindly direct any feedback regarding this test to security@acrossecurity.com.