Somebody once said..

"If you convince people that the wheel isn't right, they will allow you to re-invent it"
Showing posts with label Vulnerabilty Disclosure. Show all posts
Showing posts with label Vulnerabilty Disclosure. Show all posts

Thursday, April 1, 2010

PDF Command execution vulnerability

Researcher Didier Stevens just managed to discover that he can make PDF reader execute any command without exploiting any vulnerability ! On his blog he demonstrated how the “Launch” action parameter of PDF document can be abused to execute arbitrary command on the victims machine.

Though he did not reveal complete details, his partial PoC is good enough to guess how the attack can be made possible. I decided to have a look at it and see how this behaves on different platforms and readers.

Apparently what Adobe thought was a feature, leaves gaping holes in the operating system for any attacker to exploit ! By Simply having a look at the PDF file specifications from Adobe’s website, I was able to create the attack that Sevens has described in his Post. It is extremely trivial to manipulate the dialog box prompt -

image

This was tested on WinXP SP3 with Adobe 9.3.1. Clicking on open, directly opens calculator as I just changed “/F” parameter from his PoC to “calc.exe”.

image

But wait, that’s not it, I replaced calc.exe with guess what – a URL and voila … my browser just opened and took me straight to that page. Ohh.. how nice Adobe !!? :/ If your PDF opens directly in your browser, then it gets even better ! -

PDF URL Redirection in action

Now, not only can the attacker take you to a exploit loaded website, but this also becomes a even more lucrative vector for phishing attack. Imagine receiving a PDF from a bank that asks you click on “open” to go its website for entering details !

I decided to try this on my Ubuntu 9.10, but (thank god) the Evince document viewer did not open any file (yes I modified the PDF for xcalc). But what about Adobe Reader 9.3.1 on Ubuntu ?? It did gave the prompt but unlike windows, it did not allow me to execute any program.

Screenshot

Instead I was able to open any file in the default editor. Also, note that I was not able to control the prompt text box as in the case of windows ! Also, the URL demo also didn’t work with Adobe on Ubuntu.

Hope Adobe and others fix this issue soon ! I don’t wanna start analyzing another pile of malicious PDF’s again .. ;)

Posted by Da'H4cker at 4:38 PM 2 comments
Labels:

Thursday, June 11, 2009

XM Personal FTP Server vulnerability

Recently I discovered a Denial-of-Service vulnerability in XM Personal FTP Server 5.7. This is a easy to use FTP Server application which can help you create a FTP server really fast without any complex configuration.

This vulnerability was actually discovered in May. Despite of trying multiple times to contact the author of this software, he did not respond to my communication. So eventually I decided to post the details of the vulnerability as well as the PoC on Bugtraq.

The vulnerability exists because the application fails to handle arguments passed to some of the standard FTP commands such as HELP and TYPE. This vulnerability was actually discovered accidentally when I was trying to figure out how to use fuzzing tools ! :) ... The tool used for this was FTP Fuzzer 1.0 from Infigo which a nice tool for fuzzing. This is just a DoS vulnerability and remote code execution is not possible. For some strange reason Security Focus has mentioned that remote code execution is possible, but I don't think so.

Some time I will make an article on Fuzzing. Its pretty interesting concept and in fact I am also writing a protocol fuzzer. Hopefully it should be done soon !

Details of the vulnerability available at -
http://www.securityfocus.com/bid/35239
http://secunia.com/advisories/35271/
Posted by Da'H4cker at 2:06 PM 0 comments
Labels:
Subscribe to: Posts (Atom)