lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <EE49AE75-1179-4EA3-B3A0-4034B25F6999@gmail.com>
Date: Sun, 12 Sep 2010 16:03:37 -0400
From: Zach C <fxchip@...il.com>
To: YGN Ethical Hacker Group <lists@...g.net>
Cc: "vuln@...urity.nnov.ru" <vuln@...urity.nnov.ru>,
	"vuln@...unia.com" <vuln@...unia.com>,
	"news@...uriteam.com" <news@...uriteam.com>,
	"secalert@...urityreason.com" <secalert@...urityreason.com>,
	"bugs@...uritytracker.com" <bugs@...uritytracker.com>,
	"full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>,
	"bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: Re: gDoc Fusion version 2.5.1 <= Insecure DLL
	Hijacking Vulnerability (wintab32.dll, ssleay32.dll)

tl;dr everything is vulnerable to dll hijacking zomg we are all going to be pwned.

Ye gods these are irritating. I suppose I should filter them but damn.

On Sep 12, 2010, at 3:53 PM, YGN Ethical Hacker Group <lists@...g.net> wrote:

> 1. OVERVIEW
> 
> The gDoc Fusion application is vulnerable to Insecure DLL Hijacking
> Vulnerability. Similar terms that describe this vulnerability have
> been come up with Remote Binary Planting, and Insecure DLL
> Loading/Injection/Hijacking/Preloading.
> 
> 
> 2. PRODUCT DESCRIPTION
> 
> gDoc Fusion makes it simple and quick to compile a single document
> from multiple different PC files. Just drag the
> documents--presentations, spreadsheets, written documents, images,
> PDF, and more than 200 other file types--into Fusion; flip through
> them quickly with FlickView browser; pick the pages you want and
> arrange them in any order you like; if you wish, add comments, make
> small text edits, or redact information; and Save the finished
> documents in either Word or PDF format. You don't have to do any
> formatting or conversion--gDoc Fusion handles it all for you. Also
> includes free ultilty for multi-format document viewing and PDF
> creation.
> 
> 
> 3. VULNERABILITY DESCRIPTION
> 
> The gDoc Fusion application passes an insufficiently qualified path in
> loading its external libraries -
> "wintab32.dll, ssleay32.dll" when a user opens its associated file
> with extensions - dwfx, jtx, pdf, xps .
> 
> 
> 4. VERSIONS AFFECTED
> 
> 2.5.1 and probably lower versions
> 
> 
> 5. PROOF-OF-CONCEPT/EXPLOIT
> 
> http://core.yehg.net/lab/pr0js/advisories/dll_hijacking/gdocfusion/poc/movie/gdocfusion_2.5.1-dll-hijacking.mp4
> http://core.yehg.net/lab/pr0js/advisories/dll_hijacking/gdocfusion/poc/gdocfusion_2.5.1-dll-hijacking-poc.zip
> 
> Tested Platform: Windows XP Service Pack 3 (Fresh Windows)
> 
> 
> 6. IMPACT
> 
> Attackers can trigger a successful exploit against a victim user in a
> number of ways such as placing a malicious external
> library file made as hidden attribute and a seemingly interesting file
> in network shares, usb drives, file sharing networks,
> social networks, ..etc    
> 
> 
> 7. SOLUTION
> 
> Fixed version from the vendor has not been released yet.
> However, it is suggested that the following workarounds be deployed by
> users to protect increasing mass exploitation of this
> vulnerability class:
> - Disable loading of libraries from WebDAV and remote network shares
> - Disable the WebClient service
> Please see workaround solution links in References section.
> 
> 
> 8. VENDOR
> 
> Global Graphics Software Ltd.
> http://www.globalgraphics.com/en/gdoc/gdoc-fusion
> 
> 
> 9. CREDIT
> 
> This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
> Ethical Hacker Group, Myanmar.
> 
> 
> 10. DISCLOSURE TIME-LINE
> 
> 09-13-2010: notified vendor
> 09-13-2010: vulnerability disclosed
> 
> 
> 11. REFERENCES
> 
> Original Advisory URL:
> http://core.yehg.net/lab/pr0js/advisories/dll_hijacking/[gdocfusion]_2.5.1_insecure_dll_hijacking
> Workaround Solution: http://support.microsoft.com/kb/2264107
> Workaround Solution:
> https://www.microsoft.com/technet/security/advisory/2269637.mspx#EGF
> Developer Solution:
> http://msdn.microsoft.com/en-us/library/ff919712%28v=VS.85%29.aspx
> Unofficial DLL Hijacking List:
> http://www.corelan.be:8800/index.php/2010/08/25/dll-hijacking-kb-2269637-the-unofficial-list/
> Testing for DLL Hijacking:
> http://core.yehg.net/lab/pr0js/view.php/when_testing_for_dll_hijacking.txt
> 
> #yehg [09-13-2010]
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ