control. When the download starts, the ActiveX control creates a
temporary configuration file after which it invokes a separate program
(Manager.exe) that performs the download. Download Manager will first
ask the user where the file has to be saved (figure 1).
http://www.akitasecurity.nl/advisory/AK20090402/001_dlm_save_as_dialog.png
Figure 1: Download Manager Save As dialog
If the user chooses to save the file, the download window is displayed.
This window shows a summary overview of all downloads. An example of
this window is displayed in figure 2.
Google Chrome has an inbuilt file downloader[1], just like every other
browser. However, the behavior of this function is different from other
browsers and provides users much more usability and convenience. Chrome
automatically downloads a file from any site that is passed using the
Content-Disposition header value "attachment" (on the contrary, all other
browsers show a save as dialog). There are some mitigations done by Chrome
to protect users from auto downloading malware by raising an alert on
executable extensions such as .exe, .htm, .jar, etc.
The vulnerability arises from the fact that there are other extensions such
as .svg, .mht, .mhtml that don't exist in the Chrome's malicious extension
Download vulnerabilities in Google Chrome, which I wrote in details in the
article Automatic File Download vulnerabilities in browsers
(http://websecurity.com.ua/2438/).
Goal of this research was to create a method of conducting File Download
attacks in different browsers (and DoS attacks via SaveAs functionality).
Which I called SaveAs attack.
And even this attack (file saving) is not going automatically (as it took
place in first versions of Chrome - in more new versions of its browser
Google fixed this vulnerability, after my warnings, and browser asks before
"SiteKiosk is a software for public access internet terminals and lets you turn any computer into a secure multilanguage Internet terminal (already 20 different languages included), allowing the user to access the Internet but protecting the underlying operating system and files. Possible uses include presentations, exhibitions, libraries, and more. SiteKiosk works with normal displays and Touchscreens. A keyboard doesn't even have to be attached -- text can be entered via a keypad with a mouse. Plentiful options let you decide the amount of security your kiosk needs, from hard-disk protection to prohibiting specific Websites. The program can be used with either a direct network connection or Dial-Up Networking, providing Internet access "on demand." Other features include multiple-window support, automatic shutdown/restart, Shell-Replacement, hard-disk protection, thorough event-logging support, Log-Out Button, content-advisor, great website filtering (with automatic update)
, an easy-to-use configuration wizard, and more. SiteKiosk supports different payment methods like coin machines, bill acceptors, smart cards and others. Also very nice is the webcam support which enables users to send voice, video and photo emails. It is also possible to administer terminals by remote. SiteKiosk uses Internet Explorer as its basis but presents a much simplified interface that even the novice user will understand. Excellent online help is included."
[x] Attack Information
SiteKiosk tries to block and avoid file downloads. If you click on a link which saves a file automatically on your hard drive (e.g. an exe download link) or if you right click something and select "save as..." a window will pop up which says that it isn't possible to download the file. But you can bypass the issue with a special url - you've got to use the "about:"-url. SiteKiosk uses the microsoft internet explorer engine to display web sites, so you can also use "about:" to display anything directloy from the url. For example "about:hello" will display the text "hello" directly in the browser. Of course you can use HTML too: "about:<b>hello</b>" will display the text "hello" bold. Normally this is harmless, but in SiteKiosk you can use it to download files.
[x] Exploit
Just access this url:
;By Fox TeaM
</script>
</html>
-------------------------------------------------
Save As Html File , And Send The Link To Victim
-------------------------------------------------
By Hasadya Raed - Israel
· Rating : Critical.
· Description :
The vulnerability is caused due to a boundary error when handling the
"SaveAs" function. On saving a malicious page with an overly long title
(<title> tag in HTML), the program causes a stack-based overflow and makes
it possible for attackers to execute arbitrary code on users' systems.
· How an attacker could exploit the issue :
To exploit the Vulnerability, a hacker might construct a specially crafted
;By Fox TeaM
</script>
</html>
-------------------------------------------------
Save As Html File , And Send The Link To Victim
-------------------------------------------------
By Hasadya Raed - Israel
RegKey Safe for Init: True
Implements IObjectSafety: False
KillBitSet: False
The first vulnerability is caused due to the CExpressViewerControl class
(AdView.dll v9.0.0.96) which provide the insecure SaveAS() method
which allows to store locally files with arbitrary extension.
The second one is related to the ApplyPatch() one inside the UpdateEngine
class (LiveUpdate16.DLL, 17.2.56 ??... this is a shared one) which allows to launch an arbitrary
executable by the second argument. Note, that the first one, alone, allows
arbitrary code execution. The impact of the second one is limited if you cannot
Rising installs the own program files with insecure permissions (Users: Full Control). Local attacker (unprivileged user) can replace some files (for example, executable files of Rising services) by malicious file and execute arbitrary code with SYSTEM privileges. This is local privilege escalation vulnerability.
For example, in Rising Antivirus 2009 the following attack scenario could be used:
1. An attacker (unprivileged user) replaces one of the Rising Antivirus program files by malicious executable file. For example, the replacing file could be - %Program Files%\Rising\RAV\RavTask.exe (Rising RavTask Manager).
2. Restart the system.
After restart attackers malicious file will be executed with SYSTEM privileges.
Self-defense of the Rising Antivirus will prevent all operations with Rising program files. It can be bypassed using internal shell dialogs in the Rising Antivirus (for example, "Save as" dialog in Tools -> Installer Creation Tool -> Browse).
For other vulnerable Rising products similar attack scenario could be used.
EXPLOITATION
An attacker must have valid logon credentials to a system where vulnerable software is installed.
