[Full-disclosure] Acunetix WVS 5 improper file path handling (EoP)
- From: <edi.strosar@xxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 25 Jun 2007 20:35:58 -0400
=========================================================================
TeamIntell Security Advisory TISA2007-02-Public
-------------------------------------------------------------------------
Acunetix WVS 5 improper file path handling
=========================================================================
Release date: 25.06.2007
Severity: Moderately critical
Impact: Privilege escalation
Status: Official patch available
Software: Acunetix WVS 5
Acunetix WVS 4
Tested on: Microsoft Windows 2000 SP4
Microsoft Windows XP SP2
Vendor: http://www.acunetix.com/
Disclosed by: Edi Strosar (TeamIntell)
--------
Summary
--------
The way Microsoft Windows handles filenames is well known
and documented [1]. In situations where the path to
executable contains white space and is not enclosed in
quotation marks, it is possible to execute alternate
application. This attack is commonly referred to as the
"Program.exe trick".
---------
Analysis
---------
Acunetix Web Vulnerability Scanner (WVS) is an automated
web application security testing tool. Acunetix WVS 4 and
WVS 5 do not properly handle file names containing white
spaces creating a condition where an attacker might be
able to install arbitrary code as a file
%SystemDrive%\program.exe. The arbitrary code would
generally be executed under the privileges of the
executing user but could also be launched with elevated
privileges. Acunetix WVS Scheduler Service
(WvSScheduler.exe) is executed in LocalSystem context and
thus the vulnerable code will be executed in privileged
LocalSystem context.
-----------
Limitation
-----------
1.)
Default permissions on Windows XP Professional prevent
least-privileged users write access to %SystemDrive% and
thus this attack must involve some form of social
engineering or need to be combined with another attack to
first get the arbitrary code installed in the correct
location.
2.)
Windows xP will alert user about "File name warning" while
executing %SystemDrive%\program.exe. Attacker might
circumvent this warning by setting registry key
"HKCU\Software\Microsoft\Windows\CurrentVersion
\Explorer\DontShowMeThisDialogAgain" value name
"RogueProgramName" value data "NO". In any case, local
services are executed before user registry keys, meaning
that program.exe would be already executed when the
warning appears.
-----------------
Proof of concept
-----------------
- copy program.exe to %SystemDrive%
- restart the computer
- login as least-privileged user
- use whoami.exe [2] and enumerate user privileges
Tested on Windows XP Professional sP2 and Windows 2000
Professional SP4.
Download link:
http://www.teamintell.com/advisories/TISA2007-02-Public.zip
---------
Solution
---------
Vendor has released Acunetix WVS Build v5.0.70621 which
fixes this issue.
-----------
References
-----------
[1]
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/createprocessasuser.asp
[2]
http://www.microsoft.com/downloads/details.aspx?familyid=49ae8576-9bb9-4126-9761-ba8011fabf38&displaylang=en
--------
Contact
--------
Maldin d.o.o.
Trzaska cesta 2
1000 Ljubljana - SI
tel: +386 (0)590 70 170
fax: +386 (0)590 70 177
gsm: +386 (0)31 816 400
web: www.teamintell.com
e-mail: info@xxxxxxxxxxxxxx
-----------
Disclaimer
-----------
The content of this report is purely informational and
meant for educational purposes only. Maldin d.o.o. shall
in no event be liable for any damage whatsoever, direct or
implied, arising from use or spread of this information.
Any use of information in this advisory is entirely at
user's own risk.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Prev by Date: Re: [Full-disclosure] Office 0day
- Next by Date: [Full-disclosure] Overwrite variables eqDKP 1.3.2d and prior (login.php)
- Previous by thread: [Full-disclosure] [ERRATA] :: [ISR] :: Infobyte Security Research :: release (ISR-sqlget.pl) v1.0.0
- Next by thread: [Full-disclosure] Overwrite variables eqDKP 1.3.2d and prior (login.php)
- Index(es):
Relevant Pages
|
Loading
