lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 9 Dec 2008 00:07:57 +0800
From: "Li Gen" <superligen@...il.com>
To: bugtraq@...urityfocus.com
Cc: xhakerman2006@...oo.com
Subject: Re: RadAsm <=2.2.1.5 Local Command Execution

Hi ,
    I don't think this is a vulnerability. If this is a vulnerability,
Makefile is also a vulnerability. Do you think so?
   Regards


2008/12/8 <xhakerman2006@...oo.com>
>
> ------------------------------------------------------------------
> vulnerability discovered by DATA_SNIPER.
> bug discovred in 25/11/2008.
> infected version:All Version
> greetz go to:www.at4re.com(Arab Team 4 Reverse Engineering),arab4services.net
> Critical: Highly critical
> Impact:Command Execution
> ------------------------------------------------------------------
> this is litel POC that can execute arabitrary command in victime machine.
> in unexpected way the attacker can put in the project file ".rap file" command instead of the linker path or  Macro Assembler "ML.exe" path.
> project file look like this.
> " some data has been cuted for making it readable"
> -------------------------------------
> project file structure
> [Project]
> Assembler=masm
> Type=Win32 App
> ......datat
> [Files]
> 1=file.Asm
> .....data
> [MakeFiles]
> 5=CRC Check.exe
> [MakeDef]
> Menu=1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0
> 1=4,O,$B\RC.EXE /v,1 <==Command Execution by replacing the original file path with the command
> 2=3,O,$B\ML.EXE /c /coff /Cp /nologo /I"$I",2  <==Command Execution by replacing the original file path with the command
> 3=5,O,$B\LINK.EXE /SUBSYSTEM:WINDOWS /RELEASE /VERSION:4.0 /LIBPATH:"$L" /OUT:"$5",3,4 <==Command Execution by replacing the original file path with the command
> 4=0,0,,5
> 5=rsrc.obj,O,$B\CVTRES.EXE,rsrc.res <==Command Execution by replacing the original file path with the command
> 7=0,0,"$E\OllyDbg",5
> 6=*.obj,O,$B\ML.EXE /c /coff /Cp /nologo /I"$I",*.asm
> 11=4,O,$B\RC.EXE /v,1   <==Command Execution by replacing the original file path with the command
> 12=3,O,$B\ML.EXE /c /coff /Cp /Zi /nologo /I"$I",2   <==Command Execution by replacing the original file path with the command
> 13=5,O,$B\LINK.EXE /SUBSYSTEM:WINDOWS /DEBUG /VERSION:4.0 /LIBPATH:"$L" /OUT:"$5",3,4 <==Command Execution by replacing the original file path with the command
> data.....
> [Resource]
> data.....and more data.
> ----------------------------------------------------------------------
> as you see " <==Command Execution breplacing the original file name with the command" this mean, that type of data in the project it's  exploited as command execution by malicious people.
> and when the user try to compile the project will face the issue of executing bad command in his operating system.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ