lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20081208055445.20160.qmail@securityfocus.com>
Date: 8 Dec 2008 05:54:45 -0000
From: xhakerman2006@...oo.com
To: bugtraq@...urityfocus.com
Subject: RadAsm <=2.2.1.5 Local Command Execution

------------------------------------------------------------------
vulnerability discovered by DATA_SNIPER.
bug discovred in 25/11/2008.
infected version:All Version
greetz go to:www.at4re.com(Arab Team 4 Reverse Engineering),arab4services.net
Critical: Highly critical
Impact:Command Execution
------------------------------------------------------------------
this is litel POC that can execute arabitrary command in victime machine.
in unexpected way the attacker can put in the project file ".rap file" command instead of the linker path or  Macro Assembler "ML.exe" path.
project file look like this.
" some data has been cuted for making it readable"
-------------------------------------
project file structure
[Project]
Assembler=masm
Type=Win32 App
......datat
[Files]
1=file.Asm
.....data
[MakeFiles]
5=CRC Check.exe
[MakeDef]
Menu=1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0
1=4,O,$B\RC.EXE /v,1 <==Command Execution by replacing the original file path with the command
2=3,O,$B\ML.EXE /c /coff /Cp /nologo /I"$I",2  <==Command Execution by replacing the original file path with the command
3=5,O,$B\LINK.EXE /SUBSYSTEM:WINDOWS /RELEASE /VERSION:4.0 /LIBPATH:"$L" /OUT:"$5",3,4 <==Command Execution by replacing the original file path with the command
4=0,0,,5
5=rsrc.obj,O,$B\CVTRES.EXE,rsrc.res <==Command Execution by replacing the original file path with the command
7=0,0,"$E\OllyDbg",5
6=*.obj,O,$B\ML.EXE /c /coff /Cp /nologo /I"$I",*.asm
11=4,O,$B\RC.EXE /v,1   <==Command Execution by replacing the original file path with the command
12=3,O,$B\ML.EXE /c /coff /Cp /Zi /nologo /I"$I",2   <==Command Execution by replacing the original file path with the command
13=5,O,$B\LINK.EXE /SUBSYSTEM:WINDOWS /DEBUG /VERSION:4.0 /LIBPATH:"$L" /OUT:"$5",3,4 <==Command Execution by replacing the original file path with the command
data.....
[Resource]
data.....and more data.
----------------------------------------------------------------------
as you see " <==Command Execution breplacing the original file name with the command" this mean, that type of data in the project it's  exploited as command execution by malicious people.
and when the user try to compile the project will face the issue of executing bad command in his operating system.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ