Archive for the ‘Hacking’ Category

« Older Pages

Microsoft Office Excel > DbOrParamQry Record Parsing Vulnerability

Tuesday, March 9th, 2010

Microsoft Office Excel > DbOrParamQry Record Parsing Vulnerability

Damian Frizza from Core Security Technologies discovered a memory corruption occurs on Microsoft Office Excel 2002 when parsing a .XLS file with a malformed DbOrParamQry record. This vulnerability could be used by a remote attacker to execute arbitrary code in the context of the currently logged on user, by enticing the user to open a specially crafted file.

Vulnerability Informations:

Class: Buffer overflow [CWE-119]
Impact: Code execution
Remotely Exploitable: Yes (client-side)
Locally Exploitable: No
Bugtraq ID: N/A
CVE Name: CVE-2010-0264

Affected Packages:
Microsoft Excel 2002 (Office XP SP3)

Proof of Concept:

According to the MSDN documentation the DbOrParamQry record specifies a DbQuery or ParamQry record depending on the preceding record. The Record Query Parameters (ParamQry) offset DCh, contains information about ODBC parameterized queries. This record has the following format:

1
2
3

Offset  Name    Size  Contents
4      wTypeSql  2    Used for ODBC queries; the parameter SQL type
6      flags     2    Option flags

By modifying this record an exploitable condition can be triggered. An excerpt of the vulnerable code follows:

1
2
3
4
5
6
7
8
9
10
11
12
13

EXCEL!Ordinal41+2c20ce:
302c20ce 8b461c           mov     eax,[esi+0x1c]    ds:0023:0180aa98=0197013c
302c20d1 85c0             test    eax,eax
302c20d3 0f84e1000000     je      EXCEL!Ordinal41+0x2c21ba (302c21ba)  [br=0]
302c20d9 8b08             mov     ecx,[eax]         ds:0023:0197013c=00010001
302c20db 50               push    eax
302c20dc ff5108           call  dword ptr [ecx+0x8] ds:0023:00010009=5c003a00
 
Access violation - code c0000005 (first chance)
eax=0197013c ebx=00000001 ecx=00010001 edx=0000014c esi=0180aa7c edi=00000000
eip=5c003a00 esp=001363ec ebp=00136400 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
5c003a00 ??               ???

Vendors:
Microsoft Security Bulletin MS10-017
 MSDN DbOrParamQry entry

References:
Core Security Technologies

Tags: , , , , , , , , , ,
Posted in Hacking, Infosecurity, PoC, Windows | 1 Comment »

IE v.6,7,8 RCE && stack overflow in winhlp32 process (Windows XP SP3)

Thursday, February 25th, 2010

Introduction:
This vulnerability regards to invoke winhlp32.exe,the Microsoft Windows Help File viewer, from Internet Explorer 6,7,8 using VBScript. Passing malicious .HLP file to winhlp32 could allow remote attacker to run arbitrary command.
Additionally, there is a stack overflow vulnerability in winhlp32.exe.

Proof of Concept:
To trigger vulnerability some user interaction is needed. Victim has to press F1 when MsgBox popup is displayed.

1

MsgBox(prompt[,buttons][,title][,helpfile,context])

It is possible to pass remote samba share as helpfile parameter. In addition there is a stack based buffer overflow when helpfile parameter is too long. However, on XP winhlp32.exe is compiled with
/GS flag, which in this case effectively guard the stack.

Example of this exploiting.

Affected Systems:
Windows XP with Service Pack 3

Not Affected Systems:
Vista, Windows 7

Impact:
Value: MEDIUM
The vulnerability allows remote attacker to run arbitrary code on victim machine.

Related sources:
Isec Security Research

Tags: , , , , , , , , , , , ,
Posted in Articles, Exploits, Hacking, Infosecurity, PoC | Comments Off

Google Buzz CSRF Vulnerabilities

Friday, February 12th, 2010

Google Buzz CSRF Vulnerabilities
Google Buzz is a new way to start conversations about the things you find interesting, provided by Google Inc.

However, it is also quite vulnerable to persistent CSRF attacks when data is pulled from external data feeds.

Kristian Hermansen‘ proof-of-concept executes a denial of service against Google Buzz users for which the only recovery is to disable IMG tag loading,
reload Google Buzz, and either “mute” the posting or unfollow permanently.

Sources:
PacketStorm – Advisories
Secunia – Disclosure

Tags: , , , , , , , ,
Posted in Hacking, Infosecurity, News | 1 Comment »

Microsoft shocked : Local Kernel Privilege Escalation (0-day, 17y.old) + IE fixs.

Saturday, January 23rd, 2010

Microsoft shocked : Local Privilege Escalation in Windows Kernel.

Do you remember Google vs China? Remember bugs that have allowed Chinese hackers to enter into Gmail accounts and access to confidential information?

Microsoft has confirmed a privilege-escalation vulnerability in the Windows kernel, one day after a Google engineer posted details of the flaw to the Full Disclosure mailing list.

Systems Affected :
All supported versions of 32-bit Windows, while 64-bit versions, which includes Windows Servers 2008 R2, are not impacted.

Details :
Vulnerability is difficult to exploit, the risk for users is low, and the software giant is not aware of any public attacks exploiting the flaw.
To exploit this vulnerability, an attacker must already have a local access to the system, then elevate their privileges to the administrative level and run programs of their choice on the system.

Advisory + sploit : (external link)
KiTrap0D

Internet Explorer – Remote Code Execution Vulnerability
Microsoft is issuing on January 21 an out-of-band fix for the Internet Explorer security breach that affected Google and other companies in China.

Tags: , , , , , ,
Posted in Articles, Hacking, Infosecurity, News | 1 Comment »

Internet Explorer 6-7-8 => Remote Code Execution

Tuesday, January 19th, 2010

Summary:
Microsoft is investigating reports of limited, targeted attacks against customers of Internet Explorer 6, using a vulnerability in Internet Explorer.

Affected:
Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 is not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are vulnerable.

Vulnerability:
The vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.
In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site.
An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

NOTE: This is the vulnerability used by China hackers to spy and scam Gmail Accounts.

Tags: , , , , , , , , ,
Posted in Articles, Exploits, Hacking, News | Comments Off

« Older Pages