lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <58DB1B68E62B9F448DF1A276B0886DF192FD86BC@EX2010.hammerofgod.com>
Date: Fri, 2 Sep 2011 20:55:35 +0000
From: "Thor (Hammer of God)" <thor@...merofgod.com>
To: Mario Vilas <mvilas@...il.com>, "full-disclosure@...ts.grok.org.uk"
	<full-disclosure@...ts.grok.org.uk>
Subject: Re: Cybsec Advisory 2011 0901 Windows Script Host
 DLL Hijacking

LOL.  "Warning, if you get the user to execute code, then it is possible to get the user to execute code!!  All you have to do is get files on their system, and then get them to execute those files!   Note that once you get the user to execute the code, it will actually run in the context of that user!!  This is remote code execution vulnerability!"

Welcome to today's Infosec!

t

From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Mario Vilas
Sent: Friday, September 02, 2011 1:06 PM
To: full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking

Are you guys seriously reporting that double clicking on a malicious .vbs file could lead to remote code execution? :P

Either I'm missing something (and I'd welcome a rebuttal here!) or you might as well add .exe to that list. All those extensions are already executable.
On Fri, Sep 2, 2011 at 7:35 PM, CYBSEC Labs <cybseclabs@...sec.com<mailto:cybseclabs@...sec.com>> wrote:
Advisory Name: Windows Script Host DLL Hijacking

Internal Cybsec Advisory Id:
2011-0901-Windows Script Host DLL Hijacking

Vulnerability Class:
Remote Command Execution Vulnerability

Release Date:
September 2, 2011

Affected Applications:
Windows Script Host v5.6; other versions may also be affected

Affected Platforms:
Any running Windows Script Host v5.6

Local / Remote:
Remote / Local

Severity:
High - CVSS: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

Researcher:
Juan Manuel Garcia

Vendor Status:
Acknowedged

Reference to Vulnerability Disclosure Policy
: http://www.cybsec.com/vulnerability_policy.pdf

Vulnerability Description:

DLL Hijacking takes advantage of the way an application dynamically

loads dll libraries without specifying a fully qualified path. This is

usually done invoking the LoadLibrary and LoadLibraryEx functions to

dynamically load DLLs.

In order to exploit this vulnerability a user must open a file with an

extension associated to the vulnerable application. A malicious dll,

named exactly as a dll the apllications loads using the vulnerable

function, must be placed in the same directory as the opened file.

The application will then load the malicious dll instead of the

original, thus executing the malicious code.

The following application loads external libraries following an insufficiently qualified path.
Application: wscript.exe
Extensions: js, jse, vbe, vbs, wsf, wsh
Library: wshesn.dll

Exploit:
Option 1 - Using the "msfpayload" Metasploit module as shown below:

msfpayload windows/exec CMD=calc.exe D > exploit.dll
Option 2 - Using the "webdav_dll_hijacker" Metasploit module.

Impact:

A successful exploit of this vulnerability leads to arbitrary code execution.

Vendor Response:

2011/08/09 - Vulnerability was identified.

2011/08/19 - Cybsec sent detailed information on the issue and a Proof of Concept.

2011/08/19 - Vendor stated: "As a matter of policy, we cannot comment on ongoing investigations".

2011/08/19 - Vendor was informed that the security advisory would be published after 15 days.

2011/09/02 - Vulnerability was released.

Contact Information:

For more information regarding the vulnerability feel free to contact the researcher at

jmgarcia <at> cybsec <dot> com

About CYBSEC S.A. Security Systems

Since 1996,
CYBSEC is engaged exclusively in rendering professional services specialized in

Information Security. Their area of services covers Latin America, Spain and over 250 customers are a

proof of their professional life.

To keep objectivity, CYBSEC S.A. does not represent, neither sell, nor is associated with other

software and/or hardware provider companies.

Our services are strictly focused on Information Security, protecting our clients from emerging security

threats, maintaining their IT deployments available, safe, and reliable.

Beyond professional services, CYBSEC is continuously researching new defense and attack techniques

and contributing with the security community with high quality information exchange.

For more information, please visit www.cybsec.com<http://www.cybsec.com>

(c) 2011 - CYBSEC S.A. Security Systems

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



--
"There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people."

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ