.NET Framework EncoderParameter integer overflow vulnerability
ss is not available for SilverLight applications. Limitations As noted above, this issue cannot be exploited using a SilverLight application. With the release of MS11-044 [11], Microsoft changed the way ClickOnce & XBAP applications are started. In particular, whenever such an application is started from the Internet security zone, a dialog is always shown even if the application does not request elevated permissions. Previously the application would just start. See also: http://blogs.msdn.com/b/clrteam/archive/2011/06/06/changes-coming-to-clickonce-applications-running-in-the-internet-zone.aspx (It is possible to display a green icon in the dialog by code signing the manifests. When the manifests aren't signed, a red icon is displayed). The dialog is not shown for applications launched from the intranet security zone. In this case the application will start immediately - as long as it does not request elevated permissions. The intranet zone is only available when it has been enabled on the target system. This is common for corporate networks, but less common for home users. Finally, with the release of Internet Explorer 9 Microsoft chose to disable XBAP applications in the Internet security zone. See also: http://blogs.msdn.com/b/ieinternals/archive/2011/03/09/internet-explorer-9-xbap-disabled-in-the-internet-zone.aspx Windows XP A special note must be made for Windows XP. It seems that Windows XP is a bit picky when handling large arrays. In a lot of cases, OutOfMemoryException exceptions will be thrown when trying to exploit this issue. Successful exploitation has been achieved on a 32-bit Windows XP system with 4GB of RAM. References [1] http://www.akitasecurity.nl/advisory.html?id=AK20110801 [2] http://technet.microsoft.com/en-us/security/bulletin/ms12-025 [3] http://support.microsoft.com/kb/2671605 [4] http://www.beyondsecurity.com/ssd.html [5] http://weblog.ikvm.net/PermaLink.aspx?guid=b3525cd1-8788-4d6d-b299-4722ddebad94 [6] http://technet.microsoft.com/en-us/security/bulletin/ms12-025 [7] http://msdn.microsoft.com/en-us/library/system.drawing.imaging.encoderparameter.aspx [8] http://msdn.microsoft.com/en-us/library/yf1d93sz%28v=VS.100%29.aspx [9] http://msdn.microsoft.com/en-us/library/system.security.allowpartiallytrustedcallersattribute.aspx [10] http://msdn.microsoft.com/en-us/magazine/ee677170.aspx [11] http://technet.microsoft.com/en-us/security/bulletin/ms11-044 -- ---- Akita Software Security (Kvk 37144957) http://www.akitasecurity.nl/ Key fingerprint = 5FC0 F50C 8B3A 4A61 7A1F 2BFF 5482 D26E D890 5A65 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5482D26ED8905A65 signature.asc Description: This is a digitally signed message part
Office arbitrary ClickOnce application execution vulnerability
e OLE Package will not result in the dialog as shown in figure 6. To make a successful attack more likely, an attacker can format the OLE Package such that it does not look like an embedded file. A proof of concept was created that utilizes these techniques to create a very simple game. If the user follows the provided instructions, the user will launch the ClickOnce application. http://www.akitasecurity.nl/advisory/AK20100601/007-word_2007_game_poc.png Figure 7: Screenshot of Word proof of concept. PowerPoint 2007 PowerPoint allows for Custom Animations to be set for OLE Packages. Besides the regular animations, we have the option to set two OLE specific animations (named Object Actions); Activate Contents & Edit Package. Activate Contents performs the same actions as if the user double clicks the embedded object. Thus using Custom Animations it is possible to perform a particular sequence of actions, allowing us to execute an embedded ClickOnce application with Full Trust permissions. Doing so will trigger a series of dialog windows, such as the one shown in figure 6. However there is no need for the user to interact with these dialog windows. Custom Animations are executed when the PowerPoint is displayed in Slide Show mode (for example by pressing F5 or double clicking a .pps or .ppsx file). Since Slide Shows are shown full screen and focus is regained when an Animation action is executed, it is possible to hide these dialogs. If the ClickOnce application is launched it will be possible to send a Windows Message to the dialogs so there are closed automatically. On Windows Vista and later, the Edit Package Animation will also cause a copy of the embedded file to be saved locally. This option will show a window in which the user can change the label of the OLE Package. Using this option will block the current Custom Animation until the user closes the window. Closing the window is (amongst other ways) possible by clicking the OK or Cancel button, pressing + or clicking the close button in the title bar. No matter what the user chooses, the temporary file will persist locally until the PowerPoint presentation is closed. Consequently, user interaction is required, however the only way to stop the exploit from running is by closing PowerPoint through Task Manager. Macros It is also possible to perform the steps used in the PowerPoint examples using Macros. The following Macro will open all embedded OLE Packages within an Office document: Private Sub Document_Open() Dim i As Integer For i = 1 To ActiveDocument.InlineShapes.Count ActiveDocument.InlineShapes(i).OLEFormat.Activate Next i End Sub Windows XP Exploiting this issue on Windows XP using the above described attack vectors will fail. This is caused by the fact that on Windows XP OLE Packages are handled by the packager.exe application (Windows Object Packager) while on Windows Vista and later OLE Packages are handled by the DLL packager.dll. This is defined in the Registry key HKEY_CLASSES_ROOT\Package\protocol\StdFileEditing\server. Big difference between these two is that on Windows XP the temporary file is removed if packager.exe is closed, while on Windows Vista the file is removed when the Office document is closed (and the DLL is unloaded). Also the exe saves its files in the Temporary Internet Files folder while the DLL uses the user's temporary folder (i.e. C:\Users\\AppData\Local\Temp). When an embedded ClickOnce application is launched through its deployment manifest, the dfsvc.exe service is started. This process is started detached from packager.exe, which causes packager.exe to think that the action has finished, causing it to close itself and thus remove the temporary deployment manifest. This creates a race condition as the ClickOnce service will try to parse the deployment manifest. As this file is (in most cases) removed by packager.exe it will fail to do so and an error message will be displayed. References [1] http://www.akitasecurity.nl/advisory.html?id=AK20100601 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0013 [3] http://technet.microsoft.com/en-us/security/bulletin/ms12-005 [4] http://support.microsoft.com/kb/2584146 [5] http://www.beyondsecurity.com/ssd.html -- ---
Akamai Download Manager arbitrary file download & execution
is lagging behind. The default option of trusting all code from one publisher is flawed. Publishers that distribute a lot of Java applets, are more likely to distribute vulnerable applets. Since signed applets are equivalent to ActiveX controls, this can lead to a full compromise of user's systems. References [1] http://www.akitasecurity.nl/advisory.php?id=AK20090402 [2] http://msdn.microsoft.com/en-us/library/ms682586.aspx [3] http://www.oreillynet.com/onlamp/blog/2008/05/safari_carpet_bomb.html [4] http://www.microsoft.com/technet/security/Bulletin/MS09-014.mspx [5] http://www.microsoft.com/technet/security/Bulletin/MS09-015.mspx [6] http://www.microsoft.com/technet/security/advisory/953818.mspx [7] http://www.microsoft.com/technet/security/advisory/953818.mspx -- Akita Software Security (Kvk 37144957) http://www.akitasecurity.nl/ Key fingerprint = 5FC0 F50C 8B3A 4A61 7A1F 2BFF 5482 D26E D890 5A65 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5482D26ED8905A65 signature.asc Description: This is a digitally signed message part
Outlook PR_ATTACH_METHOD file execution vulnerability
see also Security Research & Defense blog [4]). Executables can be delivered of the web (HTTP), but in this case the file is loaded through the default web browser that will normally issue a warning when it is about to run an executable. References [1] http://www.akitasecurity.nl/advisory.php?id=AK20091001 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0266 [3] http://www.microsoft.com/technet/security/bulletin/ms10-045.mspx [4] http://blogs.technet.com/b/srd/archive/2010/07/13/ms10-045-microsoft-office-outlook-remote-code-execution-vulnerability.aspx [5] http://support.microsoft.com/kb/978212 [6] http://support.microsoft.com/kb/2271150 [7] http://www.beyondsecurity.com/ssd.html [8] http://www.microsoft.com/technet/security/bulletin/ms10-045.mspx -- ---- Akita Software Security (Kvk 37144957) http://www.akitasecurity.nl/ Key fingerprint = 5FC0 F50C 8B3A 4A61 7A1F 2BFF 5482 D26E D890 5A65 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5482D26ED8905A65 signature.asc Description: This is a digitally signed message part
getPlus insufficient domain name validation vulnerability
90401 [2] http://www.adobe.com/support/security/bulletins/apsb10-08.html [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0189 [4] http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=856 [5] http://aviv.raffon.net/2010/02/18/SkeletonsInAdobesSecurityCloset.aspx [6] http://www.nosltd.com/index.php?option=com_content&task=view&id=38&Itemid=26 [7] http://www.nosltd.com/ -- Akita Software Security (Kvk 37144957) http://www.akitasecurity.nl/ Key fingerprint = 5FC0 F50C 8B3A 4A61 7A1F 2BFF 5482 D26E D890 5A65 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5482D26ED8905A65 signature.asc Description: This is a digitally signed message part
FreeWebshop.org: multiple vulnerabilities
is performed on the content of this cookie. This allows attackers to execute a directory traversal attack and included arbitrary local files, allowing the disclosure of arbitrary file content or in some cases even arbitrary code execution if the attacker can manipulate the content of the included language file. This vulnerability exists in the following code: includes/initlang.inc.php: Setting the cookie cookie_lang to the following value will display the contents of the /etc/passwd file: ../../../../../../../etc/passwd%00 It should be noted that this attack uses a NULL byte (%00). Because of this, this attack only works on PHP installations that have disabled 'magic quotes'. References [1] http://www.akitasecurity.nl/advisory.php?id=AK20090301 [2] http://freewebshop.org/ -- Akita Software Security (Kvk 37144957) http://www.akitasecurity.nl/ Key fingerprint = 5FC0 F50C 8B3A 4A61 7A1F 2BFF 5482 D26E D890 5A65 http://keyserver.pgp.com/vkd/DownloadKey.event?keyid=0x5482D26ED8905A65 signature.asc Description: This is a digitally signed message part
yTNEF/Evolution TNEF Attachment decoder plugin directory traversal & buffer overflow vulnerabilities
t;%s", filename->data);
} else {
sprintf(ifilename, "%s/%s", filepath, filename->data);
}
yTNEF:
void ProcessTNEF(TNEFStruct TNEF) {
[...]
char ifilename[256];
[...]
if (filepath == NULL) {
sprintf(ifilename, "%s", filename->data);
} else {
sprintf(ifilename, "%s/%s", filepath, filename->data);
}
References
[1] http://www.akitasecurity.nl/advisory.php?id=AK20090601
[2] http://www.ocert.org/advisories/ocert-2009-013.html
[3] http://www.go-evolution.org/Tnef
[4] http://sourceforge.net/projects/ytnef/
--
Akita Software Security (Kvk 37144957)
http://www.akitasecurity.nl/
Key fingerprint = 5FC0 F50C 8B3A 4A61 7A1F 2BFF 5482 D26E D890 5A65
http://keyserver.pgp.com/vkd/DownloadKey.event?keyid=0x5482D26ED8905A65
signature.asc
Description: This is a digitally signed message part
PulseAudio local race condition privilege escalation vulnerability
link. If PulseAudio is restarted, it will use a path name that at this moment points to a different file, for example a command shell. Root privileges are not dropped when PulseAudio is reloading, thus allowing a local attacker to gain root privileges. Please note, this attack is only possible if the attacker can create hard links on the same hard disk partition on which PulseAudio is installed (i.e. /usr/bin and /tmp reside on the same partition). Proof of concept The following proof of concept can be used to exploit this issue. The proof of concept tries to exploit this issue by creating hard links in the /tmp directory. pa_race [6] $ ./pa_race I: caps.c: Limited capabilities successfully to CAP_SYS_NICE. I: caps.c: Dropping root privileges. I: caps.c: Limited capabilities successfully to CAP_SYS_NICE. N: main.c: Called SUID root and real-time and/or high-priority scheduling was requested in the configuration. However, we lack the necessary privileges: N: main.c: We are not in group 'pulse-rt', PolicyKit refuse to grant us the requested privileges and we have no increase RLIMIT_NICE/RLIMIT_RTPRIO resource limits. N: main.c: For enabling real-time/high-priority scheduling please acquire the appropriate PolicyKit privileges, or become a member of 'pulse-rt', or increase the RLIMIT_NICE/RLIMIT_RTPRIO resource limits for this user. E: pid.c: Daemon already running. E: main.c: pa_pid_file_create() failed. [...] uid=0(root) gid=0(root) groups=4(adm), 20(dialout), 24(cdrom), 25(floppy), 29(audio), 30(dip), 44(video), 46(plugdev), 107(fuse), 109(lpadmin), 115(admin), 1000(yorick) # References [1] http://www.akitasecurity.nl/advisory.php?id=AK20090602 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1894 [3] http://www.gentoo.org/security/en/glsa/glsa-200907-13.xml [4] http://www.ubuntu.com/usn/usn-804-1 [5] http://pulseaudio.org/ [6] http://www.akitasecurity.nl/advisory/AK20090602/pa_race -- ---- Akita Software Security (Kvk 37144957) http://www.akitasecurity.nl/ Key fingerprint = 5FC0 F50C 8B3A 4A61 7A1F 2BFF 5482 D26E D890 5A65 http://keyserver.pgp.com/vkd/DownloadKey.event?keyid=0x5482D26ED8905A65 signature.asc Description: This is a digitally signed message part
