March 9th, 2010 ~ nicola
Microsoft Office Excel > DbOrParamQry Record Parsing Vulnerability
Damian Frizza from Core Security Technologies discovered a memory corruption occurs on Microsoft Office Excel 2002 when parsing a .XLS file with a malformed DbOrParamQry record. This vulnerability could be used by a remote attacker to execute arbitrary code in the context of the currently logged on user, by enticing the user to open a specially crafted file.
Vulnerability Informations:
Class: Buffer overflow [CWE-119]
Impact: Code execution
Remotely Exploitable: Yes (client-side)
Locally Exploitable: No
Bugtraq ID: N/A
CVE Name: CVE-2010-0264
Affected Packages:
Microsoft Excel 2002 (Office XP SP3)
Proof of Concept:
According to the MSDN documentation the DbOrParamQry record specifies a DbQuery or ParamQry record depending on the preceding record. The Record Query Parameters (ParamQry) offset DCh, contains information about ODBC parameterized queries. This record has the following format:
1
2
3
| Offset Name Size Contents
4 wTypeSql 2 Used for ODBC queries; the parameter SQL type
6 flags 2 Option flags |
By modifying this record an exploitable condition can be triggered. An excerpt of the vulnerable code follows:
1
2
3
4
5
6
7
8
9
10
11
12
13
| EXCEL!Ordinal41+2c20ce:
302c20ce 8b461c mov eax,[esi+0x1c] ds:0023:0180aa98=0197013c
302c20d1 85c0 test eax,eax
302c20d3 0f84e1000000 je EXCEL!Ordinal41+0x2c21ba (302c21ba) [br=0]
302c20d9 8b08 mov ecx,[eax] ds:0023:0197013c=00010001
302c20db 50 push eax
302c20dc ff5108 call dword ptr [ecx+0x8] ds:0023:00010009=5c003a00
Access violation - code c0000005 (first chance)
eax=0197013c ebx=00000001 ecx=00010001 edx=0000014c esi=0180aa7c edi=00000000
eip=5c003a00 esp=001363ec ebp=00136400 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
5c003a00 ?? ??? |
Vendors:
Microsoft Security Bulletin MS10-017
MSDN DbOrParamQry entry
References:
Core Security Technologies
Tags: coresecurity, CVE-2010-0264, DbOrParamQry, excel 2002, microsoft office excel, query, Record Parsing Vulnerability, RPV, sp3, Windows, xp
Published in: Hacking, Infosecurity, PoC, Windows | 1 Comment »
Article: Tweet This ~ Print ~ Share on Facebook ~ Email This Article
February 25th, 2010 ~ nicola
Introduction:
This vulnerability regards to invoke winhlp32.exe,the Microsoft Windows Help File viewer, from Internet Explorer 6,7,8 using VBScript. Passing malicious .HLP file to winhlp32 could allow remote attacker to run arbitrary command.
Additionally, there is a stack overflow vulnerability in winhlp32.exe.
Proof of Concept:
To trigger vulnerability some user interaction is needed. Victim has to press F1 when MsgBox popup is displayed.
1
| MsgBox(prompt[,buttons][,title][,helpfile,context]) |
It is possible to pass remote samba share as helpfile parameter. In addition there is a stack based buffer overflow when helpfile parameter is too long. However, on XP winhlp32.exe is compiled with
/GS flag, which in this case effectively guard the stack.
Example of this exploiting.
Affected Systems:
Windows XP with Service Pack 3
Not Affected Systems:
Vista, Windows 7
Impact:
Value: MEDIUM
The vulnerability allows remote attacker to run arbitrary code on victim machine.
Related sources:
Isec Security Research
Tags: 6, 7, 8, exploit, helpfile, ie rce, PoC, remote, samba, stack overflow, vb, winhlp32, xp sp3
Published in: Articles, Exploits, Hacking, Infosecurity, PoC | Comments Off
Article: Tweet This ~ Print ~ Share on Facebook ~ Email This Article
February 12th, 2010 ~ nicola
Google Buzz CSRF Vulnerabilities
Google Buzz is a new way to start conversations about the things you find interesting, provided by Google Inc.
However, it is also quite vulnerable to persistent CSRF attacks when data is pulled from external data feeds.
Kristian Hermansen‘ proof-of-concept executes a denial of service against Google Buzz users for which the only recovery is to disable IMG tag loading,
reload Google Buzz, and either “mute” the posting or unfollow permanently.
Sources:
PacketStorm – Advisories
Secunia – Disclosure
Tags: advisory, buzz, cross site request forgery, csrf, full disclosure, google, persistent, secunia, vulnerabilities
Published in: Hacking, Infosecurity, News | 1 Comment »
Article: Tweet This ~ Print ~ Share on Facebook ~ Email This Article
January 23rd, 2010 ~ nicola
Microsoft shocked : Local Privilege Escalation in Windows Kernel.
Do you remember Google vs China? Remember bugs that have allowed Chinese hackers to enter into Gmail accounts and access to confidential information?
Microsoft has confirmed a privilege-escalation vulnerability in the Windows kernel, one day after a Google engineer posted details of the flaw to the Full Disclosure mailing list.
Systems Affected :
All supported versions of 32-bit Windows, while 64-bit versions, which includes Windows Servers 2008 R2, are not impacted.
Details :
Vulnerability is difficult to exploit, the risk for users is low, and the software giant is not aware of any public attacks exploiting the flaw.
To exploit this vulnerability, an attacker must already have a local access to the system, then elevate their privileges to the administrative level and run programs of their choice on the system.
Advisory + sploit : (external link)
KiTrap0D
Internet Explorer – Remote Code Execution Vulnerability
Microsoft is issuing on January 21 an out-of-band fix for the Internet Explorer security breach that affected Google and other companies in China.
Tags: 0-day, china, google, google vs china, ie rce, privilege escalation, windows kernel
Published in: Articles, Hacking, Infosecurity, News | 1 Comment »
Article: Tweet This ~ Print ~ Share on Facebook ~ Email This Article
January 19th, 2010 ~ nicola
Summary:
Microsoft is investigating reports of limited, targeted attacks against customers of Internet Explorer 6, using a vulnerability in Internet Explorer.
Affected:
Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 is not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are vulnerable.
Vulnerability:
The vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.
In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site.
An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
NOTE: This is the vulnerability used by China hackers to spy and scam Gmail Accounts.
Tags: 6.0, 7, 8, china, gmail, google, hackers, internet explorer, microsoft, vulnerability
Published in: Articles, Exploits, Hacking, News | Comments Off
Article: Tweet This ~ Print ~ Share on Facebook ~ Email This Article
