lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 9 Sep 2005 16:11:10 -0000
From: fRoGGz@...urityfocus.com
To: bugtraq@...urityfocus.com
Subject: KillProcess 2.20 and priors "FileDescription" Local Buffer
 Overflow Issue




VULNERABLE PRODUCT
------------------
Software: KillProcess
Platforms: Windows
Version: 2.20 and priors
Original advisorie: http://sbox.nightmail.ru
--------------------------


BACKGROUND
----------
This funny application can terminate any Windows process with the click of a button. 
It can also prevent unwanted processes from ever executing by scanning the active 
process list for unwanted processes and terminating them on sight.
Source: http://orangelampsoftware.com


DESCRIPTION
-------------
A malicious .exe file with a long FileDescription in version resource can generate
a local exploitation of a buffer overflow and allows attackers to execute arbitrary code.


PROOF OF CONCEPT
----------------
I've code a 2,78 Ko PoC.
FileDescription have been set to A x 544 bytes.
PoC is available here: http://sbox.nightmail.ru/KillProc_PoC.exe

There is another little bug, but not really dangerous.
If you add an application to killlist, then lunch it. Ok, boom ...
But if you start XX same process at the same time, all applications will not be killed.


ANALYSIS
--------
Exploitation of the described vulnerability allows attackers to
execute arbitrary code under the context of the user who started Process Explorer.
Exploitation requires that an attacker convince a target user to view properties of
malicious executable file with a vulnerable version of Process Explorer.


VENDOR STATUS
-------------
Vendor have been contacted.


Thanks
------
Greet's fly out to ATmaCA. This idea was first credit by Kozan.
It was on Jul 20 2005, for another software, so thanks to him ;)


CREDiTS
----------------------
SecuBox Labs - fRoGGz
web: secubox.teria.org
--------------------------

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ