Next Page >>
double clicking
> differentiate between code execution and document editing) doesn't
> exist.
I can partly agree with this for local attacks where attacker places a
malicious file - be it .ppt or .exe - somewhere on user's computer or
USB drive and get the user to double-click it. With a remote attack of
this type, Windows Explorer will issue a security warning if you
double-click an .exe on a remote share, but will let you double-click
a .ppt without such warning. It's hard to say what percentage of users
would actually be stopped by such warning but I'd consider it a part
of the security model.
Hi Thor,
Thanks to Microsoft's "defense in depth," double-clicking an .exe from a remote share
pops up a security warning. In contrast, double-clicking a data file that opens a
vulnerable application (which downloads and executes a .dll from the same share)
doesn't trigger such security warning. You might argue that users don't care about
such warnings and you might be right.
On the upside (or downside, depending on one's role in this game), our researchers
have already found an attack vector for binary planting (a superset of dll hijacking)
content. Change your domain account password. Leave the SYSTEM shell
and regedit application open. Log off the workstation, and then log
back in to your domain account. Refresh the NL$ list. The NL$ line
item that has been updated is your domain user's cached session.
Step 6: For this example, we will assume that your NL$ record is "NL$4"
Step 7: Double click on "NL$4". Take note of the four hex characters
that are located in positions 1, 2, 3, and 4 on line 3 of the hex
data.
Step 8: For this example, the hex characters are "5a 04". This number
is the Active Directory octet string representation of your domain
account's objectSID (The user account unique section of your AD
Ok, Dan, just for you:
Launch Internet Explorer 9 on Windows 7 (probably other IE/Win works too), go to File->Open (or press Ctrl+O), browse to Test.html and open it. No double-clicking and you couldn't launch an executable this way. Better?
Cheers,
Mitja
On Jul 8, 2011, at 9:10 PM, Dan Kaminsky <dan@doxpara.com> wrote:
> And here's where your exploit stops being one:
and even shares located on Internet.
This vulnerability is exploitable through other products that F-Secure
products integrate with, most notably web browsers. One such example is a
combination of Mozilla Firefox and F-Secure Internet Security 2011. When
launched by double-clicking an .HTML file via Windows Explorer (or most
any other popular file manager), Firefox is started with the current
working directory (CWD) set to the folder where this file resides. If F-
Secure Internet Security is installed, Firefox displays its toolbar and
allows the user to view and edit the "Browsing protection" settings. These
get launched by Firefox and inherit its CWD, but they also integrate a
On Fri, Jul 8, 2011 at 4:11 PM, Mitja Kolsek
<mitja.kolsek@acrossecurity.com> wrote:
> Ok, Dan, just for you:
>
> Launch Internet Explorer 9 on Windows 7 (probably other IE/Win works too), go to File->Open (or press Ctrl+O), browse to Test.html and open it. No double-clicking and you couldn't launch an executable this way. Better?
>
> Cheers,
> Mitja
>
> On Jul 8, 2011, at 9:10 PM, Dan Kaminsky <dan@doxpara.com> wrote:
Object Linking and Embedding (OLE) allows embedding and linking to
documents and other objects. Embedding of arbitrary files is possible
through OLE Packages. Embedding a document as OLE Package can be as easy
as dragging and dropping the document in the target document, such as a
Microsoft Word document. The embedded document can be opened by double
clicking its icon. Most applications allow reformatting of OLE Packages,
i.e. changing the Package's icon and label.
http://www.akitasecurity.nl/advisory/AK20100601/004-ole_packages.png
Figure 4: OLE Package examples.
It is possible to remove the WebEx Meeting Manager component from
Microsoft Windows by using the Add or Remove Programs utility in the
Windows Control Panel:
1. In Windows, choose Start > Control Panel.
2. Double-click Add or Remove Programs.
3. Double-click WebEx.
4. In the pop-up menu, check the Meeting Manager box and click
Uninstall.
5. Follow the prompts to complete the uninstall process and restart
the system.
digital signature. As a consequence, it can be changed without
violating the integrity of the signed ODF document.
The real problem arises from the fact that the replicated,
unprotected data is used to build the first information
dialog that a user gets after a double-clicking on the
icon in the statusbar that indicates a valid signature or
after choosing "File->Digital Signatures" from the menu.
Only when he opens the certificate's details the correct and
protected information is decoded and thus certified
- -----------/
Analysis of the vulnerability
The above proof-of-concept file creates new events in the iCal
application . When a user double-clicks on these events the program
crashes writing in the memory pointed by pointer 'EDI=0'. Only the value
of 'EAX' is under control, must be less than '0x7fffffff' and is
extracted from the following line of the PoC '.ics' file.
/-----------
RealPlayer 11 ActiveX DoS Proof-of-Concept :
:
:
-:PoC:- :
1- Copy and past the following code into filepoc.wsf :
2- Run it by double clicking on it :
---------------------------------------------------snip-----------:
<?XML version='1.0' standalone='yes' ?>
<package><job id='DoneInVBS' debug='false' error='true'>
<object classid='clsid:CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA' id='target' />
<script language='vbscript'>
may also be affected.
V. WORKAROUND
On Windows, it is possible to prevent automatic exploitation by double
clicking such a file, or opening it through the browser by removing the
file associations for JNLP files. However, if a user specifically
selects the Java Web Start application to open the JNLP file,
exploitation is still possible. This can be done by removing the
registry key for .jnlp in the 'HKEY_CLASSES_ROOT' registry hive.
change the call esi if you need, must be alphabetic
I used a "call esi" from comctl32.dll on xp sp3,
change if needed.
Usage: php 9sg_illu.php
then double-click on the resulting 9sg.eps file
it will bind a shell on port 4444
change the shellcode for your needs even.
*/
Yipiya Ypipiya yah yeah. Here is a 0day! hurra mIRC pwns your Windozes! (ref. pdp)
send this to a user and make him double click on it (masquerade it with pink fore/background color and say 'free pr0n click here ->' it works all the time! damned perverts):
mailto:%xx../../../../../../../../../../../windows/system32/calc.exe".bat
Now the question is, should we say *0day* for a bug in a core element that is WELL KNOWN by everyone (reported months ago), and will be patched, or should we try to get credits for finding a *vector* as pdp did with the supposed *acrobat reader pdf bug* ?
Fame kills bugs.
5. In the BIOS section, click WinFlash for HP Notebook System BIOS. The version should be listed as a BIOS version from the table below or a later version.
6. Click the Download only button on the page to begin the download of the BIOS update. Save the file to a convenient folder on the PC.
7. Double-click the downloaded file to start the installation. Follow all prompts and restart the notebook when requested by the installation. Do not turn off the notebook until prompted to do so.
Note: It is recommended that the notebook PC use an AC adapter and be connected to the Internet with an Ethernet cable because interruptions in power or wireless connections may result in the download failing to install.
HP Compaq Business HP SoftPaq BIOS
Notebook PC Models Number Version
file as there is no detection of malicious code.
Mitigation recommendations from Trend:
1. Open the ScanMail for Domino Configuration database
2. Go to Configurations > Policies
3. Double click on Default Mail Scan
4. Click on Scan Options Tab > Scan Restrictions
5. Put a mark on Exceed extracted file size and set this to either of the much secured action
a. Quarantine
b. Delete
6. Put any of the preferred value to maximum extracted file size
Exploitation of this vulnerability results in the execution of arbitrary
code with the privileges of the user opening the file. To exploit this
vulnerability, an attacker needs to convince a user to open a malicious
file. Usually, WordPad would not be associated with the .DOC file
extension, and would not open it when the file is double clicked.
However, by renaming the .doc file to a .wri extension (associated with
WordPad), it is possible to make WordPad open the file simply by double
clicking it.
IV. DETECTION
5. In the BIOS section, click WinFlash for HP Notebook System BIOS. The version should be listed as BIOS F.31 or a later version.
6. Click the Download only button on the page to begin the download of the BIOS update. Save the file to a convenient folder on the PC.
7. Double-click the downloaded file to start the installation. Follow all prompts and restart the notebook when requested by the installation. Do not turn off the notebook until prompted to do so.
Note: It is recommended that the notebook PC use an AC adapter and be connected to the Internet with an Ethernet cable because interruptions in power or wireless connections may result in the download failing to install.
PRODUCT SPECIFIC INFORMATION
None
After applying this workaround to software releases 1.5.1 and 2.2,
configTOOL version 3.1.0b1 is required to continue configuring Cisco
Network Building Mediator via configTOOL.
To start configTOOL, double-click the Cisco Network Building Mediator
configTOOL shortcut icon on the desktop, or choose Start > All
Programs > Network Building Mediator configTOOL. Connect to a Cisco
Network Building Mediator using the procedure as described in Cisco
Network Building Mediator User Guide at
http://www.cisco.com/en/US/docs/security/physical_security/cnbm/User/guide/CNBM__UG.pdf
And here's where your exploit stops being one:
===
Suppose the current version of Apple Safari (5.0.5) is our default web
browser. If we put the above files in the same directory (on a local
drive or a remote share) and double-click Test.html, what happens is
the following:
===
At this point, Test.html might actually be test.exe with the HTML icon
embedded. Everything else then is unnecessary obfuscation -- code
On 3 Oct 2007 16:06:29 -0000, jinc4fareijj@hotmail.com
<jinc4fareijj@hotmail.com> wrote:
> Yipiya Ypipiya yah yeah. Here is a 0day! hurra mIRC pwns your Windozes! (ref. pdp)
>
> send this to a user and make him double click on it (masquerade it with pink fore/background color and say 'free pr0n click here ->' it works all the time! damned perverts):
> mailto:%xx../../../../../../../../../../../windows/system32/calc.exe".bat
>
> Now the question is, should we say *0day* for a bug in a core element that is WELL KNOWN by everyone (reported months ago), and will be patched, or should we try to get credits for finding a *vector* as pdp did with the supposed *acrobat reader pdf bug* ?
>
> Fame kills bugs.
5. In the BIOS section, click WinFlash for HP Notebook System BIOS. The version should be listed as BIOS F.31 or a later version.
6. Click the Download only button on the page to begin the download of the BIOS update. Save the file to a convenient folder on the PC.
7. Double-click the downloaded file to start the installation. Follow all prompts and restart the notebook when requested by the installation. Do not turn off the notebook until prompted to do so.
Note: It is recommended that the notebook PC use an AC adapter and be connected to the Internet with an Ethernet cable because interruptions in power or wireless connections may result in the download failing to install.
PRODUCT SPECIFIC INFORMATION
None
code with the privileges of the user opening the file. To exploit this
vulnerability, an attacker needs to convince a user to open a malicious
file. Usually, WordPad is associated with the .DOC file extension unless
Microsoft Word is installed. However, by renaming the .doc file to a
.wri extension, it is possible to make WordPad open the file simply by
double clicking it regardless of Microsoft Word being installed or not.
IV. DETECTION
iDefense has confirmed the existence of this vulnerability in Wordpad on
Windows 2000 SP4. Windows XP SP3 is not affected. Vista and Server 2008
- -----------/
Analysis of the vulnerability
The above proof-of-concept file creates new events in the iCal
application . When a user double-clicks on these events the program
crashes writing in the memory pointed by pointer 'EDI=0'. Only the value
of 'EAX' is under control, must be less than '0x7fffffff' and is
extracted from the following line of the PoC '.ics' file.
/-----------
5. In the BIOS section, click WinFlash for HP Notebook System BIOS. The version should be listed as a BIOS version from the table below or a later version.
6. Click the Download only button on the page to begin the download of the BIOS update. Save the file to a convenient folder on the PC.
7. Double-click the downloaded file to start the installation. Follow all prompts and restart the notebook when requested by the installation. Do not turn off the notebook until prompted to do so.
Note: It is recommended that the notebook PC use an AC adapter and be connected to the Internet with an Ethernet cable because interruptions in power or wireless connections may result in the download failing to install.
HP Compaq Business HP SoftPaq BIOS
Notebook PC Models Number Version
in ~/Library/Application Support/WebEx Folder/824 for systems
connected to servers running T26 and ~/Library/Application
Support/WebEx Folder/924 for systems connected to servers running
T27. The version can be obtained by browsing to the appropriate
folder in Finder and control-clicking the filename. When the menu
is displayed, select show package contents and then double-click
the Info.plist file. The version number is shown at the bottom of
the displayed table.
+-------------------------------------------------------------------------------+
| Bundle | T26 SP49 | T27 SP11 | T27 SP21 | T27 SP25 | T27 SP28 |
Note: JDK and JRE 5.0, SDK and JRE 1.4.2 and 1.3.1 are not affected.
V. WORKAROUND
On Windows, it is possible to prevent automatic exploitation by
double-clicking such a file, or opening it through the browser by
removing the file associations for JNLP files. If a user specifically
selects the Java Web Start application to open the JNLP file, however,
exploitation is still possible. This can be done by removing the
registry key for .jnlp in the 'HKEY_CLASSES_ROOT' registry hive.
available. AOL recommends that you download and install the update to
get the best and most secure performance from AOL Radio. If you use AIM
or other AOL software, you will automatically receive a prompt to update
AOL Radio and you do not need to download and install this update now.
Otherwise, please download the update from the URL below and
double-click on the file to finish updating AOL Radio:
http://radaol-prod-web-rr.streamops.aol.com/mediaplugin/unagi_patch.exe"
VII. CVE INFORMATION
<HostName>%s%s%s%s</HostName>
The bugs has been verified in version 3.1.556 and beta 4.0.0.810. With
version 3.1.556 the client has to initiate a connection to trigger the
vulnerability, whereas with version 4.0.0.810, the bug can be exploited
by simply double-clicking the configuration file. This can be attributed
to the 4.0 version trying to write the imported configuration to an
extra debug log.
Proof-of-concept:
On 3 Oct 2007 16:06:29 -0000, jinc4fareijj@hotmail.com
<jinc4fareijj@hotmail.com> wrote:
> Yipiya Ypipiya yah yeah. Here is a 0day! hurra mIRC pwns your Windozes! (ref. pdp)
>
> send this to a user and make him double click on it (masquerade it with pink fore/background color and say 'free pr0n click here ->' it works all the time! damned perverts):
> mailto:%xx../../../../../../../../../../../windows/system32/calc.exe".bat
>
> Now the question is, should we say *0day* for a bug in a core element that is WELL KNOWN by everyone (reported months ago), and will be patched, or should we try to get credits for finding a *vector* as pdp did with the supposed *acrobat reader pdf bug* ?
>
> Fame kills bugs.
Next Page>>
|
