Category Archives: Tech

CVE-2016-2202 – Symantec Management Agent Inventory Solution 7.5 Application Blacklisting

Updated on April 7, 2016. Symantec has now acknowledged and provided a fix for this problem. Symantec reference here and the provided fix here.

Symantec was notified of this issue on March 7, 2016.

My endpoint team was testing blocking executables using SMC/SMA/Altiris/Inventory Solution (under many names) I found that if I keep opening the exe I could essentially brute force successfully launching the application that had its executable blocked. It appears that the first exe would run and not be closed by the Altiris agent.
We were looking to prevent teamviewer(remote software) from running. They were able to prevent the exe from launching, but if I create a simple powershell script to keep trying to open the executable it would finally launch and stay open.
I could then connect and I was able to remotely control the system(as teamviewer is designed.) Of course my CPU was pegged but I was able to keep the session open while my script was running.
I am running Windows 7 Pro, 4 core CPU, 8GB of RAM Symantec management agent 7.5.33
To recreate this vulnerability, block your executable then run the following simple Powershell script on a client. In this case my team wanted to block teamviewer so that is what I tested..

 $n = 1
 Do {
 Start-Process -filepath
 "C:\Users\<username>\Downloads\TeamViewerPortable\Teamviewer.exe"
 } While ($n -le 199999999)

ESXi 5.5 crashing – Windows Guest won't load – A simple reminder.

Over the past few days some new guests on my whitebox vmhost (which has been running for almost a year now) started behaving badly! Symptoms listed below, and I’m sure there are were more.  There wasn’t really any pattern to the crashing, it was very random. Things went awry after I added my ninth guest and the host peaked into the 14-16GB of RAM range. My existing guests running PRTG, Zoneminder, VPN and NGINX all were fine… all were stable. Just a few new Windows guests I have been using for testing were crashing. I couldn’t even reinstall windows without a BSOD while loading.

  • VMware ESX unrecoverable error: (vcpu-0)
  • MONITOR PANIC: Unable to decompress PPN from swap slot for VM
  • loading windows starting and crashing Msrpc.sys
  • Windows MMC’s not loading, crashing

I ran memtest86+ on the full 32 gigs with no failures (with only one pass, probably not a good idea) and figured it couldn’t be RAM.
Googling took me down some rabbit holes unloading custom NIC drivers I’ve added. Almost ready to reinstall ESXi. But the issue still persisted.  Finally decided to run memtest  actually in the VM that was having troubles. Errors within seconds. I pulled half the RAM, ran it again… no issues. Looks like it’s bad RAM. RMA time.
So an issue I’ve seen many times back in my Geek Squad days in college- got me. A reminder, even in 2016, don’t rule out bad memory so quick, it would have saved me a few hours tonight.
And finally, the purple screen!

foto_no_exif (3)

bad memory, right?

Certification Authority Event ID 80

After upgrading from a 2003 to 2008 R2 certification authorities I noticed warnings for event ID 80 in the CA logs.  I think I have the fix worked out. Essentially you need to convert global groups to universal then to domain local. Add the CA computer objects, then set some permissions.

Replace the paths with your domain specific information.

2015-11-04_1045

1) On the parent domain,  on a global catalog domain controller (Run from an elevated cmd prompt)

dsmod group "CN=Cert Publishers,CN=Users,DC=domain,DC=company,DC=com" -scope u
dsmod group "CN=Cert Publishers,CN=Users,DC=domain,DC=company,DC=com" -scope l
2) For each child domains, on a global catalog domain controller (Run from an elevated cmd prompt)
dsmod group "CN=Cert Publishers,CN=Users,DC=child,DC=domain,DC=company,DC=com" -scope u
dsmod group "CN=Cert Publishers,CN=Users,DC=child,DC=domain,DC=company,DC=com" -scope l
dsacls "DC=child,DC=domain,DC=company,DC=com" /I:S /G "domain\Cert Publishers":RP;userCertificate
dsacls "DC=child,DC=domain,DC=company,DC=com" /I:S /G "domain\Cert Publishers":WP;userCertificate
dsacls "cn=adminsdholder,cn=system,DC=child,DC=domain,DC=company,DC=com" /G "domain\Cert Publishers":RP;userCertificate
dsacls "cn=adminsdholder,cn=system,DC=child,DC=domain,DC=company,DC=com" /G "domain\Cert Publishers":WP;userCertificate

3) Add the computer objects for your certification authorities to the group  “Cert Publishers” on each domain.
4) Finally, on your certification authorities run the following ((Run from an elevated cmd prompt))

certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
net stop certsvc
net start certsvc