lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <425692086.20060510001519@Zoller.lu>
Date: Wed, 10 May 2006 00:15:19 +0200
From: Thierry Zoller <Thierry@...ler.lu>
To: bugtraq@...urityfocus.com, cert@...t.org, dab@...sec.de, 
	<full-disclosure@...ts.grok.org.uk>, <ju@...sec.de>, <news@...se.de>, 
	<news@...unia.com>, <news@...uriteam.com>, <submission@...ketstorm.org>
Subject: [TZO-042006] Insecure Auto-Update and File
	execution


_______________________________________________________________________

        Zango Adware -  Insecure Auto-Update and File execution
_______________________________________________________________________


Reference : TZO-042006-Zango
Author    : Thierry Zoller
Advisory  : http://secdev.zoller.lu/research/zango.htm

Shameless Plug :
I would  like to take the opportunity to invite you to the
Security Conference known as "Hack.lu 2006" in the Grand-Duchy
of Luxembourg. More information at http://www.hack.lu
** See you there :)


I. Background
~~~~~~~~~~~~~

http://www.zangocash.com

"ZangoCash (formerly LOUDcash) is recognized around the world as one of
the best pay-per-install affiliate programs on the Internet. ZangoCash
is a subsidiary of 180solutions which also includes Zango and 
MetricsDirect . Every day, 7,500-10,000 ZangoCash affiliates distribute
our software to users who are then connected with more than 6,000 
MetricsDirect advertisers."


II. Description
~~~~~~~~~~~~~~~

After the acknowledgement of an License Agreement, during Startup, the 
bundled EXE contacts several servers and downloads the required Adware
components. The downloaded components are not checked for integrity 
or authenticity and are executed as soon as they are downloaded.

The following procedures are exploitable :

   1. Initial Install
   2. Auto-Update function

The condition is exploitable in the following scenarios (maybe you
know more?) :

   1. You have legitimate control over the DNS server
   2. You have compromised a DNS server
   3. You forge a cache poisoning attack against a vulnerable DNS server
   4. You have access to the machine and change the HOST file

Redirecting the hostname "static.zangocash.com" to an IP address under
your Control and creating the respective V-host allows you to install
any type of executable on the machine where zango is being installed
or currently is installed, in other words: You could potentially
compromise an internal network of a company if Zango is installed
on workstations (or servers - i've seen that) and one of the 4
aforementioned conditions are met.

See http://secdev.zoller.lu/research/zango.htm for more information

Why is this an Issue ?
~~~~~~~~~~~~~~~~~~~~~~
Especially the auto update function is a problem, imagine a DNS server 
not a split setup) is compromised or cache-poisened, every workstation 
with zango installed inside the company can be immediately compromised
as the Workstation tries to automaticaly download an update of Zango 
and fails to realise that instead of Zango it downloads and executes 
a Rootkit/Backdoor/"put anything here". 


III. Summary
~~~~~~~~~~~~~~~
Vendor contact : 01/02/2006
Vendor Response : 05/02/2006

Vendor Response :
No official statement, first I was asked to remove the webpage,
then I was allowed to keep it online, I was not given permission
to disclose the conversations that took place. I will respect
the rights of 0180 Solutions. 


Reference : TZO-042006-Zango
Author    : Thierry Zoller 
WWW       : http://secdev.zoller.lu



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ