[NT] Zango Adware - Insecure Auto-Update and File Execution



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Zango Adware - Insecure Auto-Update and File Execution
------------------------------------------------------------------------


SUMMARY

" <http://www.zangocash.com/faq/> ZangoCash (formerly LOUDcash) is
recognized around the world as one of the best pay-per-install affiliate
programs on the Internet."

Zango Adware does not authenticate in any way the automatic updates it
pulls. This allows an attacker to inject malicious code.

DETAILS

After the acknowledgment of an License Agreement, during Startup, the
bundled EXE contacts several servers and downloads the required Adware
components. The downloaded components are not checked for integrity or
authenticity and are executed as soon as they are downloaded.

The following procedures are exploitable :
* Initial Install
* Auto-Update function

The condition is exploitable in the following scenarios:
1. You have legitimate control over the DNS server
2. You have compromised a DNS server
3. You forge a cache poisoning attack against a vulnerable DNS server
4. You have access to the machine and change the HOST file

Redirecting the hostname "static.zangocash.com" to an IP address under
your Control and creating the respective V-host allows you to install any
type of executable on the machine where zango is being installed or
currently is installed, in other words: You could potentially compromise
an internal network of a company if Zango is installed on workstations (or
servers - this was also observed by the author) and one of the 4
aforementioned conditions are met.

Especially the auto update function is a problem, imagine a DNS server not
a split setup) is compromised or cache-poisoned, every workstation with
Zango installed inside the company can be immediately compromised as the
Workstation tries to automatically download an update of Zango and fails
to realize that instead of Zango it downloads and executes a
Rootkit/Backdoor/"put anything here".


Vendor Response:
Vendor contact : 01/02/2006
Vendor Response : 05/02/2006

No official statement, first I was asked to remove the web page, then I
was allowed to keep it online, I was not given permission to disclose the
conversations that took place. I will respect the rights of 0180
Solutions.


ADDITIONAL INFORMATION

The information has been provided by <mailto:Thierry@xxxxxxxxx> Thierry
Zoller.
The original article can be found at:
<http://secdev.zoller.lu/research/zango.htm>
http://secdev.zoller.lu/research/zango.htm



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages