[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4E614E7D.1030204@fibertel.com.ar>
Date: Fri, 02 Sep 2011 18:45:33 -0300
From: root <root_@...ertel.com.ar>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Cybsec Advisory 2011 0901 Windows Script Host
DLL Hijacking
You don't get the worst part: unsuccessful exploitation also leads to
code execution.
Scary stuff.
On 09/02/2011 05:05 PM, Mario Vilas wrote:
> Are you guys seriously reporting that double clicking on a malicious .vbs
> file could lead to remote code execution? :P
>
> Either I'm missing something (and I'd welcome a rebuttal here!) or you might
> as well add .exe to that list. All those extensions are already executable.
>
> On Fri, Sep 2, 2011 at 7:35 PM, CYBSEC Labs <cybseclabs@...sec.com> wrote:
>
>> **
>> Advisory Name: Windows Script Host DLL Hijacking
>>
>> Internal Cybsec Advisory Id:
>> 2011-0901-Windows Script Host DLL Hijacking
>>
>> Vulnerability Class:
>> Remote Command Execution Vulnerability
>>
>> Release Date:
>> September 2, 2011
>>
>> Affected Applications:
>> Windows Script Host v5.6; other versions may also be affected
>>
>> Affected Platforms:
>> Any running Windows Script Host v5.6
>>
>> Local / Remote:
>> Remote / Local
>>
>> Severity:
>> High – CVSS: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
>>
>> Researcher:
>> Juan Manuel Garcia
>>
>> Vendor Status:
>> Acknowedged
>>
>> Reference to Vulnerability Disclosure Policy
>> : http://www.cybsec.com/vulnerability_policy.pdf
>>
>> Vulnerability Description:
>>
>> DLL Hijacking takes advantage of the way an application dynamically
>>
>> loads dll libraries without specifying a fully qualified path. This is
>>
>> usually done invoking the LoadLibrary and LoadLibraryEx functions to
>>
>> dynamically load DLLs.
>>
>> In order to exploit this vulnerability a user must open a file with an
>>
>> extension associated to the vulnerable application. A malicious dll,
>>
>> named exactly as a dll the apllications loads using the vulnerable
>>
>> function, must be placed in the same directory as the opened file.
>>
>> The application will then load the malicious dll instead of the
>>
>> original, thus executing the malicious code.
>>
>> The following application loads external libraries following an
>> insufficiently qualified path.
>>
>> Application: wscript.exe
>>
>> Extensions: js, jse, vbe, vbs, wsf, wsh
>>
>> Library: wshesn.dll
>>
>> Exploit:
>>
>> Option 1 - Using the “msfpayload” Metasploit module as shown below:
>>
>> msfpayload windows/exec CMD=calc.exe D > exploit.dll
>>
>> Option 2 - Using the “webdav_dll_hijacker” Metasploit module.
>>
>> Impact:
>>
>> A successful exploit of this vulnerability leads to arbitrary code
>> execution.
>>
>> Vendor Response:
>>
>> 2011/08/09 – Vulnerability was identified.
>>
>> 2011/08/19 – Cybsec sent detailed information on the issue and a Proof of
>> Concept.
>>
>> 2011/08/19 – Vendor stated: “As a matter of policy, we cannot comment on
>> ongoing investigations”.
>>
>> 2011/08/19 – Vendor was informed that the security advisory would be
>> published after 15 days.
>>
>> 2011/09/02 – Vulnerability was released.
>>
>> Contact Information:
>>
>> For more information regarding the vulnerability feel free to contact the
>> researcher at
>>
>> jmgarcia <at> cybsec <dot> com
>>
>> About CYBSEC S.A. Security Systems
>>
>> Since 1996,
>> CYBSEC is engaged exclusively in rendering professional services
>> specialized in
>>
>> Information Security. Their area of services covers Latin America, Spain
>> and over 250 customers are a
>>
>> proof of their professional life.
>>
>> To keep objectivity, CYBSEC S.A. does not represent, neither sell, nor is
>> associated with other
>>
>> software and/or hardware provider companies.
>>
>> Our services are strictly focused on Information Security, protecting our
>> clients from emerging security
>>
>> threats, maintaining their IT deployments available, safe, and reliable.
>>
>> Beyond professional services, CYBSEC is continuously researching new
>> defense and attack techniques
>>
>> and contributing with the security community with high quality information
>> exchange.
>>
>> For more information, please visit www.cybsec.com
>>
>> (c) 2011 - CYBSEC S.A. Security Systems
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists