lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 20 Jan 2011 21:01:12 +0100
From: NSO Research <nso-research@...iriu.de>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: NSOADV-2010-010: DATEV Multiple Applications DLL Hijacking Vulnerability

______________________________________________________________________
-------------------------- NSOADV-2010-010 ---------------------------

      DATEV Multiple Applications DLL Hijacking Vulnerability
______________________________________________________________________
______________________________________________________________________

                               111101111
                        11111 00110 00110001111
                   111111 01 01 1 11111011111111
                11111  0 11 01 0 11 1 1  111011001
             11111111101 1 11 0110111  1    1111101111
           1001  0 1 10 11 0 10 11 1111111  1 111 111001
         111111111 0 10 1111 0 11 11 111111111 1 1101 10
        00111 0 0 11 00 0 1110 1 1011111111111 1111111 11  100
       10111111 0 01 0  1 1 111110 11 1111111111111  11110000011
       0111111110 0110 1110 1 0 11101111111111111011 11100  00
       01111 0 10 1110 1 011111 1 111111111111111111111101 01
       01110 0 10 111110 110 0 11101111111111111111101111101
      111111 11 0 1111 0 1 1 1 1 111111111111111111111101 111
      111110110 10 0111110 1 0 0 1111111111111111111111111 110
    111 11111 1  1 111 1   10011 101111111111011111111 0   1100
   111 10  110 101011110010   11111111111111111111111 11 0011100
   11 10     001100     0001      111111111111111111 10 11 11110
  11110       00100      00001     10 1  1111  101010001 11111111
  11101        0  1011     10000    00100 11100        00001101 0
  0110         111011011             0110   10001        101 11110
  1011                 1             10 101   000001        01   00
   1010 1                              11001      1 1        101  10
      110101011                          0 101                 11110
            110000011
                      111
______________________________________________________________________
______________________________________________________________________

  Title:                  DATEV Multiple Applications DLL Hijacking
                          Vulnerability
  Severity:               Medium/High
  Advisory ID:            NSOADV-2010-010
  Found Date:             25.08.2010
  Date Reported:          30.08.2010
  Release Date:           20.01.2011
  Author:                 Nikolas Sotiriu
  Mail:                   nso-research at sotiriu.de
  Website:                http://sotiriu.de/
  Twitter:                http://twitter.com/nsoresearch
  Advisory-URL:           http://sotiriu.de/adv/NSOADV-2010-010.txt
  Vendor:                 DATEV (http://www.datev.de/)
  Affected Products:      DATEV Base System (Grundpaket Basis CD23.20)
  Affected Component:     - DMTGUI2.EXE
                          - DvInesLogFileViewer.Exe

  Remote Exploitable:     Yes (via WEB-DAV)
  Local Exploitable:      Yes
  Patch Status:           Vendor released a patch (See Solution)
  Discovered by:          Nikolas Sotiriu
  Disclosure Policy:      http://sotiriu.de/policy.html
  Thanks to:              Thierry Zoller: For the permission to use his
                                          Policy



Background:
===========

DATEV eG is a German Company, which makes Software for tax advisors and
lawyers.

The affected Base System has to be installed on all systems that
need DATEV Software.



Description:
============

The DATEV Base System (Grundpaket Basis) installes multiple applications,
which are vulnerable to the Insecure DLL Hijacking Vulnerability.

The following applications pass an insufficiently qualified path in
loading external libraries.


DMTGUI2.EXE
+----------
Extensions: dmt
Library:    DVBSKNLANG101.dll


DvInesLogFileViewer.Exe
+----------------------
Extensions: adl, c02, dof, jrf
Library:    DvZediTermSrvInfo004.dll



Proof of Concept :
==================

Metasploit:
msfpayload windows/exec CMD=calc.exe D > <name>.dll



Solution:
=========

Install Programm-DVD 25.0



References:
===========

Workaround Solution: http://support.microsoft.com/kb/2264107

Exploiting DLL Hijacking Flaws:
http://blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html



Disclosure Timeline (YYYY/MM/DD):
=================================

2010.08.25: Vulnerability found
2010.08.30: Sent PoC, Advisory, Disclosure policy and planned disclosure
            date (2010.09.09) to Vendor
2010.08.30: Initial vendor response
2010.09.07: Vendor wishes to delay the release to the 2010.10.28.
2010.09.07: Changed release date to 2010.10.28.
2010.10.26: Patch is finished. Vendor wishes to delay the release to 2011.
2010.10.26: Changed release date to 2011.01.06.
2011.01.04: Vendor wishes to delay the release again.
2011.01.12: Changed release date to 2011.01.20.
2011.01.20: Release of Advisory











Powered by blists - more mailing lists