| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 12 Jun 2012 20:13:48 -0400 From: Boston Cyber Defense <lists@...toncyberdefense.com> To: bugtraq@...urityfocus.com, pen-test@...urityfocus.com, full-disclosure@...ts.grok.org.uk Subject: CVE-2012-1661 - ESRI ArcMap arbitrary code execution via crafted map file. Description: Opening a specially crafted mxd file will execute arbitrary code without prompting and without a crash of the application. This is due to a flaw in the programs ability to prompt a user before executing embedded VBA. Mxd files are not filtered by email systems so this allows a remote attacker to trick a user into opening a map file via email and unknowingly gain control over their system. Versions affected (maybe more): ArcMap 9 ArcGIS Desktop 10 Release Version: 10.0 Product Version: 10.0.1.2800 ArcGIS Service Pack: 1 (build 10.0.1.2800) ArcGIS Desktop 10 Release Version: 10.0 Product Version: 10.0.2.3200 ArcGIS Service Pack: 2 (build 10.0.2.3200) Proof of concept: If the following macro is implemented in the project the Shell statements will be executed when the document is opened without prompt. Private Function MxDocument_OpenDocument() As Boolean Shell "calc.exe", vbNormalFocus Shell "cmd /c start http://www.cs.umb.edu/~joecohen/exploits/CVE-2012-1661.htm", vbNormalFocus End Function Video at site: http://www.cs.umb.edu/~joecohen/exploits/CVE-2012-1661 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists