[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <AANLkTimjkqXiKsKsYFYu3TyzCLzW_jekheG7qP-zq330@mail.gmail.com>
Date: Mon, 13 Sep 2010 04:09:09 +0800
From: Jacky Jack <jacksonsmth698@...il.com>
To: Zach C <fxchip@...il.com>
Cc: "vuln@...urity.nnov.ru" <vuln@...urity.nnov.ru>,
"vuln@...unia.com" <vuln@...unia.com>,
"news@...uriteam.com" <news@...uriteam.com>,
"secalert@...urityreason.com" <secalert@...urityreason.com>,
"full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>,
"bugs@...uritytracker.com" <bugs@...uritytracker.com>,
"bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: Re: gDoc Fusion version 2.5.1 <= Insecure DLL
Hijacking Vulnerability (wintab32.dll, ssleay32.dll)
Damn! Everything is f**king dll hijacked!
On Mon, Sep 13, 2010 at 4:03 AM, Zach C <fxchip@...il.com> wrote:
> tl;dr everything is vulnerable to dll hijacking zomg we are all going to be
> pwned.
> Ye gods these are irritating. I suppose I should filter them but damn.
> On Sep 12, 2010, at 3:53 PM, YGN Ethical Hacker Group <lists@...g.net>
> wrote:
>
> 1. OVERVIEW
>
> The gDoc Fusion application is vulnerable to Insecure DLL Hijacking
> Vulnerability. Similar terms that describe this vulnerability have
> been come up with Remote Binary Planting, and Insecure DLL
> Loading/Injection/Hijacking/Preloading.
>
>
> 2. PRODUCT DESCRIPTION
>
> gDoc Fusion makes it simple and quick to compile a single document
> from multiple different PC files. Just drag the
> documents--presentations, spreadsheets, written documents, images,
> PDF, and more than 200 other file types--into Fusion; flip through
> them quickly with FlickView browser; pick the pages you want and
> arrange them in any order you like; if you wish, add comments, make
> small text edits, or redact information; and Save the finished
> documents in either Word or PDF format. You don't have to do any
> formatting or conversion--gDoc Fusion handles it all for you. Also
> includes free ultilty for multi-format document viewing and PDF
> creation.
>
>
> 3. VULNERABILITY DESCRIPTION
>
> The gDoc Fusion application passes an insufficiently qualified path in
> loading its external libraries -
> "wintab32.dll, ssleay32.dll" when a user opens its associated file
> with extensions - dwfx, jtx, pdf, xps .
>
>
> 4. VERSIONS AFFECTED
>
> 2.5.1 and probably lower versions
>
>
> 5. PROOF-OF-CONCEPT/EXPLOIT
>
> http://core.yehg.net/lab/pr0js/advisories/dll_hijacking/gdocfusion/poc/movie/gdocfusion_2.5.1-dll-hijacking.mp4
> http://core.yehg.net/lab/pr0js/advisories/dll_hijacking/gdocfusion/poc/gdocfusion_2.5.1-dll-hijacking-poc.zip
>
> Tested Platform: Windows XP Service Pack 3 (Fresh Windows)
>
>
> 6. IMPACT
>
> Attackers can trigger a successful exploit against a victim user in a
> number of ways such as placing a malicious external
> library file made as hidden attribute and a seemingly interesting file
> in network shares, usb drives, file sharing networks,
> social networks, ..etc
>
>
> 7. SOLUTION
>
> Fixed version from the vendor has not been released yet.
> However, it is suggested that the following workarounds be deployed by
> users to protect increasing mass exploitation of this
> vulnerability class:
> - Disable loading of libraries from WebDAV and remote network shares
> - Disable the WebClient service
> Please see workaround solution links in References section.
>
>
> 8. VENDOR
>
> Global Graphics Software Ltd.
> http://www.globalgraphics.com/en/gdoc/gdoc-fusion
>
>
> 9. CREDIT
>
> This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
> Ethical Hacker Group, Myanmar.
>
>
> 10. DISCLOSURE TIME-LINE
>
> 09-13-2010: notified vendor
> 09-13-2010: vulnerability disclosed
>
>
> 11. REFERENCES
>
> Original Advisory URL:
> http://core.yehg.net/lab/pr0js/advisories/dll_hijacking/[gdocfusion]_2.5.1_insecure_dll_hijacking
> Workaround Solution: http://support.microsoft.com/kb/2264107
> Workaround Solution:
> https://www.microsoft.com/technet/security/advisory/2269637.mspx#EGF
> Developer Solution:
> http://msdn.microsoft.com/en-us/library/ff919712%28v=VS.85%29.aspx
> Unofficial DLL Hijacking List:
> http://www.corelan.be:8800/index.php/2010/08/25/dll-hijacking-kb-2269637-the-unofficial-list/
> Testing for DLL Hijacking:
> http://core.yehg.net/lab/pr0js/view.php/when_testing_for_dll_hijacking.txt
>
> #yehg [09-13-2010]
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists