Next Page >>
Windows 7
3. *Vulnerability Description*
Windows Virtual PC and Microsoft Virtual PC 2007 are system
virtualization desktop applications from Microsoft used to run one or
many virtual hosts on a single physical system. Windows 7 relies on
Virtual PC technology to implement the backward compatibility XP Mode
for legacy Windows applications. Using XP Mode, Windows 7 users can run
Windows applications on a virtualized Windows XP SP3 operating system
directly from the Windows 7 desktop but in doing so they may be
inadvertently increasing their risk due to a bug that makes standard
(Copy of the Vendor Homepage: http://en.wikipedia.org/wiki/Skype)
Abstract:
=========
The Vulnerability-Lab Team discovered a remote memory corruption vulnerability on Skypes v5.6.59.x for x64 Windows7 Acer Aspire 5738.
Report-Timeline:
================
2011-11-07: Vendor Notification
in Microsoft Windows.
The vulnerability is caused by a stack overflow error in the OpenType
Compact Font Format (CFF) driver "ATMFD.dll" when processing certain
operands within an OpenType font, which could be exploited by remote
attackers to execute arbitrary code on a vulnerable Windows 7, Windows
Server 2008, Windows Server 2008 R2, and Windows Vista systems via a
malicious font, or by local attackers to gain elevated privileges on
Windows XP and Windows Server 2003 systems via a malicious application.
CVSS Score: 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
. Windows Vista x64 Edition SP1 and Windows Vista x64 Edition SP2
. Windows Server 2008 for 32-bit Systems and Windows Server 2008 for
32-bit Systems SP2
. Windows Server 2008 for Itanium-based Systems and Windows Server
2008 for Itanium-based Systems SP2
. Windows 7 for 32-bit Systems and Windows 7 for 32-bit Systems SP1
. Windows 7 for x64-based Systems and Windows 7 for x64-based Systems SP1
. Windows Server 2008 R2 for Itanium-based Systems and Windows Server
2008 R2 for Itanium-based Systems SP1
Microsoft Windows XP Media Center Edition 2005 Service Pack 3
Microsoft Windows XP Service Pack 3
Microsoft Windows XP Professional x64 Edition Service Pack 2
Microsoft Windows Vista Service Pack 2
Microsoft Windows Vista x64 Edition Service Pack 2
Microsoft Windows 7 (32-bit)
Microsoft Windows 7 (32-bit) Service Pack 1
Microsoft Windows 7 (x64)
Microsoft Windows 7 (x64) Service Pack 1
Microsoft Windows Server 2008 for 32-bit Systems Service Pack 2
Microsoft Windows Server 2008 for x64-based Systems
Microsoft Windows Server 2008 for x64-based Systems Service Pack 2
Microsoft Windows Server 2008 for Itanium-based Systems
Microsoft Windows Server 2008 for Itanium-based Systems Service Pack 2
Microsoft Windows 7 for 32-bit Systems
Microsoft Windows 7 for 32-bit Systems Service Pack 1
Microsoft Windows 7 for x64-based Systems
Microsoft Windows 7 for x64-based Systems Service Pack 1
Microsoft Windows Server 2008 R2 for x64-based Systems
Microsoft Windows Server 2008 R2 for x64-based Systems Service Pack 1
Microsoft Internet Explorer 9
Microsoft Internet Explorer 8
Microsoft Internet Explorer 7
Microsoft Internet Explorer 6
Microsoft Windows 7 for x64-based Systems Service Pack 1
Microsoft Windows 7 for x64-based Systems
Microsoft Windows 7 for 32-bit Systems Service Pack 1
Microsoft Windows 7 for 32-bit Systems
Microsoft Windows Server 2008 R2 for x64-based Systems
Microsoft Windows Server 2008 R2 for x64-based Systems Service Pack 1
Microsoft Windows Server 2008 for 32-bit Systems Service Pack 2
Microsoft Windows Server 2008 for x64-based Systems
Microsoft Windows Server 2008 for x64-based Systems Service Pack 2
Microsoft Windows Server 2008 for Itanium-based Systems
Microsoft Windows Server 2008 for Itanium-based Systems Service Pack 2
Microsoft Windows 7 for 32-bit Systems
Microsoft Windows 7 for 32-bit Systems Service Pack 1
Microsoft Windows 7 for x64-based Systems
Microsoft Windows 7 for x64-based Systems Service Pack 1
Microsoft Windows Server 2008 R2 for x64-based Systems
Microsoft Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows 7 is soon to be released. Translation that means no one is
investing any resources into an operating system that is just hanging
around long enough for the RTM of Windows 7 to be installed on
netbooks. Every version of XP professional that I've touched in the
last three years on HP machines did prompt you for a password. Again,
this is not a vulnerability of the operating system but an
implementation issue that has been around since 2004.
Configuring Windows 7 for a Limited User Account:
http://unixwiz.net/techtips/win7-limited-user.html
- Setting up a VDM context requires SeTcbPrivilege.
- ring3 code cannot install arbitrary code segment selectors.
- ring3 code cannot forge a trap frame.
This is believed to affect every release of the Windows NT kernel, from
Windows NT 3.1 (1993) up to and including Windows 7 (2009).
Working out the details of the attack is left as an exercise for the reader.
Just kidding, that was an homage to Derek Soeder :-)
[affected software]
Comodo Internet Security, until 5.9
[description]
BSOD under Windows 7 x64 if a 32b PE with a kernel ImageBase is executed.
such files are very unusual, but work perfectly if the PE contains
relocations, as shown at http://pe.corkami.com#ImageBase and
http://pe.corkami.com#relocations
We are excited to announce the immediate availability of version 3.3 of
the Metasploit Framework. This release includes 446 exploits, 216
auxiliary modules, and hundreds of payloads, including an in-memory VNC
service and the Meterpreter. In addition, the Windows payloads now
support NX, DEP, IPv6, and the Windows 7 platform. More than 180 bugs
were fixed since last year’s release of version 3.2, making this one of
the more well-tested releases yet.
- http://www.metasploit.com/framework/download/
Product Coverage
================
- Apple Safari 5.0.1 (7533.17.8) for Windows (at least XP, Vista and
Windows 7)
- Apple Safari 4.0.5 (531.22.7) for Windows (at least XP, Vista and
Windows 7)
Note: We only tested the above versions; other versions may also be
affected.
Below is the PoC code for CVE-2011-1999 (MS11-081) that accompanies my
blog article
"Reliable Windows 7 Exploitation: A Case Study"
http://ifsec.blogspot.com/2012/02/reliable-windows-7-exploitation-case.html
Some notes about the PoC code:
- The exploit uses a single vulnerability to both bypass ASLR and
execute the payload without requiring any non-ASLR module in memory.
- One tiny detail required for triggering the vulnerability has been
removed, so the exploit (as given below) should not work, even on
Luigi Auriemma
Application: Microsoft HTML Help
http://www.microsoft.com
Versions: <= 6.1
Platforms: Windows (any version included the latest Windows 7)
Bug: stack overflow
Date: 12 Apr 2011 (found 20 Feb 2011)
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
Windows NT4 SP1
Windows Server 2003 SP2
Windows XP SP3
Windows Vista x32
Windows 7 x32 RC
However, all versions of Windows implementing NTLMv1 are suspected to be
affected.
Microsoft, in their "Microsoft Security Bulletin Advance Notification
Step 16: Delete any other temporary accounts you may have made during
the method.
VULNERABLE PRODUCTS:
All patch levels of Microsoft Windows 2000 Workstation, Windows 2000
Server, Windows 2003 Server, Windows XP, Windows Vista, Windows 7, and
Windows 2008 Server. (Windows Vista, Windows 7 and Windows 2008 Server
are harder to exploit because you cannot bring up an interactive
SYSTEM shell, but you can still dump the registry, edit the field,
then merge the registry back as SYSTEM to complete the method).
Issue 15 and the new Apple Quicktime flaw (Issue 22) to achieve a
complete JVM security sandbox bypass in a Windows OS environment. The
code targets 32-bit Java Plugin only (the default for 32-bit web
browsers) and Apple Quicktime 7.7.1. It has been successfully tested
with the following combination of Java SE, OS and web browsers:
- Windows XP SP3, Windows 7 HP 64-bit, Windows 7 Pro 32-bit,
- Mozilla Firefox 11.0, Internet Explorer 9.0, Opera 11.62,
- JRE / JDK 1.6 Update 31.
Issue 22 could not be exploited in a 64-bit JRE environment. This is
due to the fact that 32-bit web browsers do not seem to work with a
machine) to plant a malicious executable with a specific name on the local
drive and wait for this executable to get launched when another user logs
on to the virtual machine.
While this scenario is usually blocked on default VMware Tools'
installations on Windows XP, Windows Vista and Windows 7 due to the
default file system ACLs, a non-administrative local attacker can launch
the attack against virtual machines where VMware Tools were installed on
non-default locations, e.g., on a non-system drive. Additionally, the
attack is always possible on pre- Windows XP systems such as Windows 2000.
4. *Vulnerable packages*
At least all supported versions of Windows were reported by Microsoft
to be vulnerable:
. Windows 7
. Windows Vista
. Windows Server 2008 R2
. Windows Server 2008
. Microsoft Windows XP
. Microsoft Windows Server 2003
#################
Versions Tested
#################
I have tested this issue in win xp sp3 and a windows 7 fully pached.
Win XP sp3:
K-meleon 1.5.3 & 1.5.4 Vulnerables.(crashes )
K-Meleon 1.6.0a4 Vulnerables.(crashes)
> I don't mean to be rude but you do realize that all XP OEMs ship in
> this manner? So rather than asking everyone to help you
> investigate, just list all OEM vendors that still ship XP builds and
> it might be more efficient for you.
>
> Which is why in Vista and Windows 7 as you set up the OEM build it
> strongly suggests you set up a password.
>
> With all due respect this is
>
> 1. Not new
Microsoft Internet Explorer 8
Microsoft Internet Explorer 7
Microsoft Internet Explorer 6
Microsoft Windows 7 (32-bit)
Microsoft Windows 7 (64x)
Microsoft Windows Server 2003 Service Pack 2
Microsoft Windows Server 2003 SP2 (Itanium)
Microsoft Windows Server 2003 x64 Edition Service Pack 2
Microsoft Windows Server 2008 (32-bit)
> > > Step 16: Delete any other temporary accounts you may have made during
> > > the method.
> > >
> > > VULNERABLE PRODUCTS:
> > > All patch levels of Microsoft Windows 2000 Workstation, Windows 2000
> > > Server, Windows 2003 Server, Windows XP, Windows Vista, Windows 7, and
> > > Windows 2008 Server. (Windows Vista, Windows 7 and Windows 2008 Server
> > > are harder to exploit because you cannot bring up an interactive
> > > SYSTEM shell, but you can still dump the registry, edit the field,
> > > then merge the registry back as SYSTEM to complete the method).
> > >
Hey man - hope all is well.
FYI- I tried your example file and by default nothing worked on Windows 7. The "loading and embedded file" says "this file is blocked", The file spawn requires a script prompt with a "automation error" after that, the windows control panel didn't launch at all, and the files required me to save them, etc.
The text from the uri handler did work, but I'm not sure what the ramifications of that are. Oh, the Action Panel did show up.
I agree this isn't an "exploit" but I guess it is somewhat interesting. Of course, downloading random .chm files is akin to downloading any remote content-rendering document, except that .chm won't automatically run from the internet in the first place, even with your rendering code in it that must be accepted by the user to load in the first place.
As such (again, notwithstanding the mild interest around it) I'm confused by the "This was the response I expected" comment because if I read it right, it sounds as if you are being condemning for some reason. Are you saying "this is the response I expected" because it is the correct response and you are aware of what would be required to push out supported hotfixes for low impact issues, or are you saying "this is the response I expected" because you somehow think it SHOULD be hotfixed, but is not, and that is "typical" (as in "irresponsible") or something like that?
********************************************************************************
Vulnerable:
Windows Live Messenger 2009 on Windows Vista
Windows Live Messenger 2009 on Windows 7
Not Vulnerable:
Windows Live Messenger 2009 on Windows XP
Credits:
GreenBrowser is a IEcore based browser. A specified crafted page could lead to the execution of shellcode. Using some JavaScript to refresh the page can let shellcode execute automatically after a press of F6.
Search bar exists in many browsers, used mostly for a quick search over different searching engine such as Google and Bing. GreenBrowser defines a shortcut button F6 used to search the content of current web page (including the content inside iframe) for text inside the search bar. After a press of F6 for a web page with a iframe points to a flash or xml, GreenBrowser will call ieframe.dll!CFindEngine::DisconnectDocument then mshtml.dll!CDocument::PrivateRelease. When the page is refreshing or closing, GreenBrowser will call mshtml.dll!CDocument::PrivateRelease to release the iframe object again. Since CDocument object has already been released once, another call of CDocument::PrivateRelease will use a released memory (could be shellcode using HeapSpray) as virtual function table, thus leading to a code execution vulnerability. Advanced memory attacking techniques such as HeapFengShui or JIT-Spray could be used to build a stable exploit.
A detailed analysis and a POC of this vulnerability could be downloaded from here:
http://www.hhjack.com.cn/report/GreenBrowserDF.rar (18.5 MB).
Old and lastest version of GreenBrowser has been tested under Windows 7 and Windows XP.
------------------------------------------------------------------
III. Impact
Code execution
------------------------------------------------------------------
IV. Affected
> > Step 16: Delete any other temporary accounts you may have made during
> > the method.
> >
> > VULNERABLE PRODUCTS:
> > All patch levels of Microsoft Windows 2000 Workstation, Windows 2000
> > Server, Windows 2003 Server, Windows XP, Windows Vista, Windows 7, and
> > Windows 2008 Server. (Windows Vista, Windows 7 and Windows 2008 Server
> > are harder to exploit because you cannot bring up an interactive
> > SYSTEM shell, but you can still dump the registry, edit the field,
> > then merge the registry back as SYSTEM to complete the method).
> >
Hello,
In the course of the Windows 7 RTM release, the Security Research Lab would like to share some results on firewire/DMA based hacks and Windows 7, which is susceptible to such attacks.
While the attack vector itself is already known from previous Windows versions, we also describe the impact of Firewire-based Windows authentication bypassing on Microsoft's full-disk encryption solution BitLocker, the Encrypted File System (EFS) and Windows domains. A comprehensive section on countermeasures on different layers concludes this whitepaper, which can be downloaded from:
http://www.securityresearch.at/publications/windows7_firewire_physical_attacks.pdf
Moreover, we have developed a software solution to protect against Firewire-based physical security attacks on Windows systems which is discussed in a separate whitepaper:
I don't mean to be rude but you do realize that all XP OEMs ship in this
manner? So rather than asking everyone to help you investigate, just
list all OEM vendors that still ship XP builds and it might be more
efficient for you.
Which is why in Vista and Windows 7 as you set up the OEM build it
strongly suggests you set up a password.
With all due respect this is
1. Not new
Next Page>>
|
