Next Page >>
executable file
Alexander Kornbrust, CEO of Red Database Security GmbH and Oracle Database security expert noticed that Oracle recently released their Oracle Database 11g for Linux with a new password hashing algorithm. They do so, to improve security by introducing case-sensitive passwords in the year 2007! Alex asked us to figure out what kind of cryptographic algorithms and methods are actually used, because he'd like to update his Oracle Security Scanner.
We did, regardless of the expected nightmares, Fear and Laughing in Oracle.
Since Oracle is shipped as closed software and releases will be provided as binary/executable program only, we analyzed the Linux ELF binary executable files, because a windows version of Oracle 11g seems to be not released yet.
This is, what we messed around with:
setuid setgid ELF 32-bit LSB executable,
Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.5, dynamically linked (uses
ESX 3.0.3 ESX ESX303-201002203-UG
ESX 2.5.5 ESX Upgrade Patch 15
b. Windows-based VMware Tools Arbitrary Code Execution vulnerability
A vulnerability in the way VMware executables are loaded allows for
arbitrary code execution in the context of the logged on user. This
vulnerability is present only on Windows Guest Operating Systems.
In order for an attacker to exploit the vulnerability, the attacker
would need to be able to plant their malicious executable in a
ESX 3.0.3 ESX ESX303-201002203-UG
ESX 2.5.5 ESX Upgrade Patch 15
b. Windows-based VMware Tools Arbitrary Code Execution vulnerability
A vulnerability in the way VMware executables are loaded allows for
arbitrary code execution in the context of the logged on user. This
vulnerability is present only on Windows Guest Operating Systems.
In order for an attacker to exploit the vulnerability, the attacker
would need to be able to plant their malicious executable in a
d. Reboot
Upon reboot trojaned application will be executed with LocalSystem
account.
Executable started as services:
+------------------------------
%ProgramFiles%\PANDA SOFTWARE\AVTC\PSKMsSvc.exe (Desktop only)
%ProgramFiles%\PANDA SOFTWARE\AVTC\PavSrv51.exe
%ProgramFiles%\PANDA SOFTWARE\AVTC\PavFnSvr.exe
%ProgramFiles%\PANDA SOFTWARE\AVTC\PSHost.exe
Remote exploitation of a security policy bypass in Skype could allow an
attacker to execute arbitrary code in the context of the user.
The "file:" URI handler in Skype performs checks upon the URL to verify
that the link does not contain certain file extensions related to
executable file formats. If the link is found to contain a blacklisted
file extension, a security warning dialog is shown to the user. The
following file extensions are checked and considered dangerous by
Skype; .ade, .adp, .asd, .bas, .bat, .cab, .chm, .cmd, .com, .cpl,
.crt, .dll, .eml, .exe, .hlp, .hta, .inf, .ins, .isp, .js.
d. Reboot
Upon reboot trojaned application will be executed with LocalSystem
account.
Executable started as services:
+------------------------------
%ProgramFiles%\PANDA SOFTWARE\AVTC\PSKMsSvc.exe (Desktop only)
%ProgramFiles%\PANDA SOFTWARE\AVTC\PavSrv51.exe
%ProgramFiles%\PANDA SOFTWARE\AVTC\PavFnSvr.exe
%ProgramFiles%\PANDA SOFTWARE\AVTC\PSHost.exe
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
function tex_filter_get_cmd($pathname, $texexp) {
$texexp = escapeshellarg($texexp);
$executable = tex_filter_get_executable(false);
if ((PHP_OS == "WINNT") || (PHP_OS == "WIN32") || (PHP_OS ==
"Windows")) {
$executable = str_replace(' ', '^ ', $executable);
return "$executable ++ -e \"$pathname\" -- $texexp";
Digital Defense, Inc. Vulnerability Research Team
Credit: Steven James and r@b13$
Vulnerability Description
-------------------------
BadBlue is a web server used for peer-to-peer file sharing. By default, several executable files are stored in the web root: badblue.exe, uninst.exe, and dyndns.exe. Executable files stored in the web root of BadBlue can be launched remotely by any user. This can be leveraged to create a DoS condition by repeatedly invoking the uninst.exe executable. Due to the fact that BadBlue has not released a patch for the previously documented directory traversal vulnerability (CVE 2007-6378), an attacker may utilize these two flaws in conjunction to place a malicious executable in the web root and compromise a vulnerable server.
Solution Description
--------------------
Restrict access to the executables already in the web root (badblue.exe, uninst.exe, and dyndns.exe) and take steps to ensure that users cannot write files to the web root.
A vulnerabilitiy has been found and corrected in sudo:
sudo 1.6.x before 1.6.9p21 and 1.7.x before 1.7.2p4, when a
pseudo-command is enabled, permits a match between the name of the
pseudo-command and the name of an executable file in an arbitrary
directory, which allows local users to gain privileges via a crafted
executable file, as demonstrated by a file named sudoedit in a user's
home directory (CVE-2010-0426).
Packages for 2008.0 are provided for Corporate Desktop 2008.0
The Check Point Deployment agent Java applet or ActiveX control have a
"Secure Workspace" (SWS) feature which is provided per default in
"sws.jar" (or "sws.cab"). This JAR-file is extracted to %TEMP%\SWS
(Windows) or /tmp/SWS (Linux). It includes the executable CPSWS.exe and
some other XML and DLL files (side note: it is no workaround to remove
"sws.jar" on the company Check Point Connectra appliance as this file
can also remotely be deployed or fetched).
Calling the public method "CreatePackageURL" it is possible for an
Telnet.exe
In a similar manner, if Internet Explorer (prior to IE7) loads a telnet
URL it will start the Telnet client using a relative path name. If an
executable named telnet.exe exists on the desktop, this executable will
be started instead of the real Telnet client. In Internet Explorer 7,
Microsoft disabled the use of telnet URLs (see also
http://msdn.microsoft.com/en-us/library/aa767741(VS.85).aspx).
<html><head><script type="text/javascript">
Summary
=======
A "binary planting" vulnerability in VMware Tools for Windows allows a
local non-administrative attacker, under certain circumstances, to execute
a malicious executable on virtual Windows machines in the context of
logged- on users.
Product Coverage
================
To properly orchestrate an attack and make it agnostic of the version of
Windows, an attacker would need to know a reliable return address that they can
use that satisfies the following conditions:
1. This address is constant across all versions of Windows.
2. The attacker can write code and data to this address.
3. Code at this address is readable and executable.
A global variable in Alien Arena's executable would be ideal for this situation
since the Alien Arena developers did not link this executable for ASLR or DEP.
Since it's a global variable and ASLR is disabled, the address will remain
constant across all versions of Windows for this version of Alien Arena, and
(simple) Windows shortcut. If a user double clicks such a message,
Outlook will open the link provided by the PR_ATTACH_PATHNAME or
PR_ATTACH_LONG_PATHNAME MAPI property.
Setting PR_ATTACH_PATHNAME to cmd.exe causes Outlook to search the PATH
environment variable for an executable named cmd.exe. If such a file is
found, this file will be executed. Normally this will result in a
command shell. The path name can be set to anything that is supported by
Windows, including UNC names (i.e.
\\servername\sharename\executable.exe) but also URLs (i.e.
http://www.akitasecurity.nl/advisory/RunCalc.exe). For URLs, Outlook
I. BACKGROUND
Clam AntiVirus is a multi-platform anti-virus toolkit released under the
GNU Public License. ClamAV is often integrated into e-mail gateways and
used to scan e-mail messages for viruses. PE, or portable executable,
is the executable file format on Microsoft Windows systems. MEW is one
of the many executable packers that is supported by ClamAV. More
information can be found on the vendor's website at the following URL.
http://www.clamav.net/
Quick Heal Antivirus Plus 2009 for Desktop (v.10.00 SP1)
Quick Heal Total Security 2009 (v.10.00 SP1)
DETAILS
Quick Heal installs the own program files with insecure permissions (Everyone: Full Control). Local attacker (unprivileged user) can replace some files (for example, executable files of Quick Heal services) by malicious file and execute arbitrary code with SYSTEM privileges. This is local privilege escalation vulnerability.
For example, in Quick Heal Antivirus Plus 2009 the following attack scenario could be used:
1. An attacker (unprivileged user) replaces one of the Quick Heal Antivirus program files by malicious executable file. For example, the replacing file could be - %Program Files%\Quick Heal\Quick Heal AntiVirus Plus\quhlpsvc.exe (Quick Update Service).
2. Restart the system.
After restart attackers malicious file will be executed with SYSTEM privileges.
[DSECRG-11-002] (Internal DSECRG-00143) SAP Crystal Report Server 2008 scriptinghelpers.dll ActiveX component - Insecure methods
The component contains insecure methods by which you can overwrite any file in the OS, run the executable file, kill process, delete the file.
Application: SAP Crystal Report Server 2008
Versions Affected: SAP Crystal Report Server 2008
Vendor URL: http://sap.com
Bugs: insecure methods
Exploits: YES
Reported: 09.03.2010
Details
=======
A Cisco-signed ActiveX control that is used by Cisco Secure Desktop
fails to properly verify the integrity of an executable file that is
used by the Cisco Secure Desktop installation process. If an attacker
can entice a user to visit an attacker controlled web page, the
vulnerable ActiveX control could be invoked to download an
attacker-modified package. The package could contain a malicious
executable file that executes with the privileges of the affected
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The specific flaw exists within CSDWebInstaller.ocx. The
CSDWebInstallerCtrl ActiveX control allows downloading and executing any
Cisco-signed executable files. By renaming a Cisco-signed executable
file to inst.exe and putting it on a webserver, an attacker can
subsequently exploit vulnerabilities in the Cisco-signed executable file
remotely.
-- Vendor Response:
user's web browser. The helper application then downloads the Cisco
AnyConnect Secure Mobility Client from the VPN headend and executes
it.
The helper application fails to properly validate the authenticity of
the downloaded Cisco AnyConnect Secure Mobility Client executable
when the client is deployed from the VPN headend. An attacker could
create a malicious web page that looks like the normal VPN web login
page and entice a user, through social engineering or exploitation of
other vulnerabilities, to visit it. This would allow the attacker to
supply an arbitrary executable that the helper application would
Description:
Passing the file protocol handler to a certain HTML allows to read local
files.
On Windows it is possible to create an instance of Windows Explorer by
calling an executable file. Other operating systems were not tested.
In detail, the following flaw was determined:
- Safari fails to sanitaze the file protocol handler thus leading to an
Rising Personal Firewall 2009 (21.62.04)
Prior versions may also be affected.
DETAILS
Rising installs the own program files with insecure permissions (Users: Full Control). Local attacker (unprivileged user) can replace some files (for example, executable files of Rising services) by malicious file and execute arbitrary code with SYSTEM privileges. This is local privilege escalation vulnerability.
For example, in Rising Antivirus 2009 the following attack scenario could be used:
1. An attacker (unprivileged user) replaces one of the Rising Antivirus program files by malicious executable file. For example, the replacing file could be - %Program Files%\Rising\RAV\RavTask.exe (Rising RavTask Manager).
2. Restart the system.
After restart attackers malicious file will be executed with SYSTEM privileges.
Self-defense of the Rising Antivirus will prevent all operations with Rising program files. It can be bypassed using internal shell dialogs in the Rising Antivirus (for example, "Save as" dialog in Tools -> Installer Creation Tool -> Browse).
<param name="os" value="" />
</object>
The Service-URL parameter specifies the URL from which additional
configuration parameters are obtained, including the URL from which the
executable can be obtained. The other parameters are appended to this
URL and are used to supply additional information about the product that
has to be downloaded. The language and os parameters are automatically
set by the ActiveX control if they are not provided. The parameter
itemid is used to specify which product is to be downloaded. Multiple
products (multiple downloads) can be supplied using semi colon
#Found by: Soroush Dalili (Irsdl {4t] yahoo [d0t} com)
#Website: Soroush.SecProject.com
#Weblog: Soroush.SecProject.com/blog/
#Thanks From: Mr. Ali Abbas Nejad, Mormoroth, Aria-Security Team, and other ethical hackers.
#Vulnerability/Risk Description:
- IIS can execute any extension as an Active Server Page or any other executable extension. For instance “malicious.asp;.jpg” is executed as an ASP file on the server. Many file uploaders protect the system by checking only the last section of the filename as its extension. And by using this vulnerability, an attacker can bypass this protection and upload a dangerous executable file on the server.
#Impact Description:
- Impact of this vulnerability is absolutely high as an attacker can bypass file extension protections by using a semi-colon after an executable extension such as “.asp”, “.cer”, “.asa”, and so on.
- Many web applications are vulnerable against file uploading attacks because of this weakness of IIS. In a measurement which was performed in summer 2008 on some of the famous web applications, 70 percent of the secure file uploaders were bypassed by using this vulnerability.
#Method of Finding:
- Simple fuzzer by using ASP language itself.
Special 'upgrade option of last resort' (old systems)
-----------------------------------------------------
In addition, as a special service, we are also providing two precompiled
fully static Linux binaries as an 'upgrade option of last resort':
http://downloads.powerdns.com/releases/pdns_recursor-3.1.7.2.amd64.static.executable
http://downloads.powerdns.com/releases/pdns_recursor-3.1.7.2.i386.static.executable
These two binaries are suitable of our .deb or .rpm files somehow refuse to
load (which happens on RHEL version 3, for example).
Prior versions may also be affected.
DETAILS
Panda installs the own program files with insecure permissions (Everyone: Full Control). Local attacker (unprivileged user) can replace some files (for example, executable files of Panda services) by malicious file and execute arbitrary code with SYSTEM privileges. This is local privilege escalation vulnerability.
For example, in Panda Antivirus Pro 2010 the following attack scenario could be used:
1. An attacker (unprivileged user) replaces one of the Panda Antivirus program files by malicious executable file. For example, the replacing file could be - %Program Files%\Panda Security\Panda Antivirus Pro 2010\TPSrv.exe (Panda TPSrv service).
2. Restart the system.
This occurs because of a feature known as "SafeSEH". This is a new
compiler flag that creates a list of registered SEH handlers within each
executable and DLL. If your target executable was compiled with /SafeSEH
and you try to return into a module that has been also been compiled with
this feature, but the address you chose is not in the list of registered
handlers, then the exception handling code will not transfer execution.
There are a few options to work around this:
1. On Windows 2003, prior to SP1, SafeSEH was essentially broken and you
[HKEY_CLASSES_ROOT\GoogleApps.Url.mailto\shell\open\command]
@="C:\\Programmi\\Google\\Google Apps\\googleapps.exe --mailto.google.com=\"%1\""
is possibile, against all versions of Internet Explorer, by injecting the "--domain=" switch
for the googleapps.exe executable to pass arbitrary switches to the Google Chrome chrome.exe
executable (which is subsequently launched to open the gmail pages),
example: the --renderer-path and --no-sandbox switches
Through them is possible to launch an arbitrary executable from the local system:
I. BACKGROUND
Clam AntiVirus is a multi-platform GPL anti-virus toolkit. ClamAV is
often integrated into e-mail gateways and used to scan e-mail traffic
for viruses. It supports virus scanning for a wide variety of packed
Portable Executable (PE) binaries. WWPack is one of the supported
packers. For more information visit the vendor's web site at the
following URL.
http://www.clamav.net/
Google's Chrome (BETA) allows files (e.g. executable files) to be automatically downloaded to the user's computer without any user prompt.
To check the flaw, open a URL that points to an executable file.
nerex
Next Page>>
|
