Archive for the ‘Articles’ Category

« Older Pages

IE v.6,7,8 RCE && stack overflow in winhlp32 process (Windows XP SP3)

Thursday, February 25th, 2010

Introduction:
This vulnerability regards to invoke winhlp32.exe,the Microsoft Windows Help File viewer, from Internet Explorer 6,7,8 using VBScript. Passing malicious .HLP file to winhlp32 could allow remote attacker to run arbitrary command.
Additionally, there is a stack overflow vulnerability in winhlp32.exe.

Proof of Concept:
To trigger vulnerability some user interaction is needed. Victim has to press F1 when MsgBox popup is displayed.

1

MsgBox(prompt[,buttons][,title][,helpfile,context])

It is possible to pass remote samba share as helpfile parameter. In addition there is a stack based buffer overflow when helpfile parameter is too long. However, on XP winhlp32.exe is compiled with
/GS flag, which in this case effectively guard the stack.

Example of this exploiting.

Affected Systems:
Windows XP with Service Pack 3

Not Affected Systems:
Vista, Windows 7

Impact:
Value: MEDIUM
The vulnerability allows remote attacker to run arbitrary code on victim machine.

Related sources:
Isec Security Research

Tags: , , , , , , , , , , , ,
Posted in Articles, Exploits, Hacking, Infosecurity, PoC | No Comments »

Microsoft shocked : Local Kernel Privilege Escalation (0-day, 17y.old) + IE fixs.

Saturday, January 23rd, 2010

Microsoft shocked : Local Privilege Escalation in Windows Kernel.

Do you remember Google vs China? Remember bugs that have allowed Chinese hackers to enter into Gmail accounts and access to confidential information?

Microsoft has confirmed a privilege-escalation vulnerability in the Windows kernel, one day after a Google engineer posted details of the flaw to the Full Disclosure mailing list.

Systems Affected :
All supported versions of 32-bit Windows, while 64-bit versions, which includes Windows Servers 2008 R2, are not impacted.

Details :
Vulnerability is difficult to exploit, the risk for users is low, and the software giant is not aware of any public attacks exploiting the flaw.
To exploit this vulnerability, an attacker must already have a local access to the system, then elevate their privileges to the administrative level and run programs of their choice on the system.

Advisory + sploit : (external link)
KiTrap0D

Internet Explorer – Remote Code Execution Vulnerability
Microsoft is issuing on January 21 an out-of-band fix for the Internet Explorer security breach that affected Google and other companies in China.

Tags: , , , , , ,
Posted in Articles, Hacking, Infosecurity, News | 1 Comment »

Internet Explorer 6-7-8 => Remote Code Execution

Tuesday, January 19th, 2010

Summary:
Microsoft is investigating reports of limited, targeted attacks against customers of Internet Explorer 6, using a vulnerability in Internet Explorer.

Affected:
Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 is not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are vulnerable.

Vulnerability:
The vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.
In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site.
An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

NOTE: This is the vulnerability used by China hackers to spy and scam Gmail Accounts.

Tags: , , , , , , , , ,
Posted in Articles, Exploits, Hacking, News | Comments Off

XSS Revenge : eu2010.es HACKED

Wednesday, January 6th, 2010

Political websites have been hacked over the past 24 hours to leave leaders with red faces.

A report on BBC News said that visitors to Spain’s EU presidency website were greeted by an image of comedy character Mr Bean instead of the Spanish Prime Minister Jose Luis Rodriguez Zapatero.

The government said that the site – www.eu2010.es – had not been attacked and that a hacker had taken a screenshot of the homepage to make a photo montage using a cross-site scripting (XSS) vulnerability. Visitors found an image of Mr Bean complete with a benign smile and the words ‘Hi there’.

Tags: , , ,
Posted in Articles, Hacking, News, Writing | Comments Off

IE, Chrome, Safari SSL Insecurity

Saturday, October 24th, 2009

IE, Chrome, Safari SSL Insecurity
Ie,Chrome and Safari are not safe browsers to conduct money or confidential transactions, like PayPal, is more secure the Firefox alternative.

It has been published a secure sockets layer certificate that exploits a gaping hole in a Microsoft library used by all three of those browsers. Although the certificate is fraudulent, it appears to all three to be a completely legitimate credential vouching for the online payment service. The bug was disclosed more than nine weeks ago, but Microsoft has yet to fix it.
PayPal and thousands of other financial websites use the certificates to generate a digital signature that mathematically proves login pages aren’t forgeries that were set up by con artists who are sitting in between the user and the website he’s trying to view.
The certificate exploits a security hole in a Microsoft application programming interface known as the CryptoAPI, which is used by the IE, Google Chrome and Apple Safari for Windows browsers to parse a website’s SSL certificates. Even though the certificate is demonstrably forged, it can be used with a previously available hacking tool called SSLSniff to cause all three browsers to display a spoofed page with no warnings, even when its address begins with “https.”
The certificate is the latest to target a weakness that causes browsers, email clients, and other SSL-enabled apps to ignore all text following the \ and 0 characters, which are used to denote the end of a string of characters in C-based languages. Attackers can exploit that weakness by registering a normal SSL certificate for a site under their control and then inserting the domain name and the null character immediately following the name of the site they want to impersonate.

An example of this:

www.paypal.com\0ssl.secureconnection.cc

The take-away from all of this is that if you use IE, Chrome or Safari for Windows to browse SSL-protected parts of PayPal, there’s no way to know if they are genuine – at least until Microsoft gets around to fixing the bug. And because it’s entirely possible null-prefix certificates for other sites have been issued more quietly, there’s no way to rely on SSL at all for those browsers.

References:
Microsoft Security Bulletin
Black Hat Security
TheRegister Security

Tags: , , , , , ,
Posted in Articles, Exploits, Hacking, Webappsec | Comments Off

« Older Pages