lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <5288F2C9.8020701@rcesecurity.com> Date: Sun, 17 Nov 2013 17:46:01 +0100 From: Julien Ahrens <info@...security.com> To: full-disclosure@...ts.grok.org.uk Subject: Re: [CVE-2013-6356] Avira Secure Backup v1.0.0.1 Multiple Registry Key Value Parsing Local Buffer Overflow Vulnerability >From a technical point of view, it's a vulnerability because you can gain control of EIP. The reason why a victim would probably import an arbitrary .reg file is the same as why he would use a .wav file from an untrusted source, which exploits a flaw in the installed .wav converter. If you can convince (social-engineer) your victim, because of a lack of knowledge, this scenario would work. But I was thinking about another attack scenario: Imagine that you have already access to the victim's computer - then you could use this flaw to place a backdoor-shellcode (e.g. a reverse shell) into the registry, which is executed every time the application starts - by default: on startup. Since the application does not validate the values from the registry (and does not remove them too), you've got some kind of persistent code execution. Regards. On 17.11.2013 16:12, Jann Horn wrote: > On Sat, Nov 16, 2013 at 03:23:07PM +0100, Julien Ahrens wrote: >> A buffer overflow vulnerability has been identified in Avira Secure >> Backup v1.0.0.1 Build 3616. >> An attacker needs to force the victim to import an arbitrary .reg file >> in order to exploit the vulnerability. > Could you please elaborate on why this is a "vulnerability"? If I can convince > someone to import random registry files, can't I just add some autorun entry > or whatever? > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists