myITforum.com, Inc.

Welcome to myITforum.com, Inc. Sign in | Join | Help
in Search

Harry Waldron - My IT Forums Blog

Sharing Security Developments, and Best Practices for corporate and home users

February 2006 - Posts

  • New IE exploit targets older unpatched builds

    FrSIRT is reporting a brand new IE exploit targeted to XP SP0 (Gold) that appears to be patched in XP SP1 or higher, as well as W/2000 SP4.  Still, there might be some folks running "Gold" (and especially W/2000 SP3 in the corporate world) ... More can be found at FrSIRT's site 

    Microsoft Internet Explorer "IsComponentInstalled()" Remote Stack Overflow Exploit

    Date : 28/02/2006
    Rated as : Critical
    Note
    : This vulnerability has reportedly been fixed in Windows XP SP1 and Windows 2000 SP4

    # This file is part of the Metasploit Framework and may be redistributed
    # according to the licenses defined in the Authors field below. In the
    # case of an unknown or missing license, this file defaults to the same
    # license as the core Framework (dual GPLv2 and Artistic). The latest
    # version of the Framework can always be obtained from metasploit.com.

  • Snow.A - File infector virus impacts *.EXE files

    Please be careful with all EXE files in email or other sources. So far this new PE based virus is low-risk.

    Snow.A - File infector virus impacts *.EXE files
    http://vil.nai.com/vil/content/v_138727.htm

    This detection is for a Win32 parasitic virus variant that infects Windows portable executable (PE) files.

    W32/Snow.a bears the following characteristics:

    1. infects PE executable files
    2. infected files grow in length by about 243 kilobytes
    3. drops and install WinPcap network drivers
    4. drops and auto-starts a copy of itself
    5. when an infected file is run, the virus searches for other files to infect on both local and network drives
    6. flood network with spoofed arp packets (arp poisoning)
  • Haxdoor - Advanced Rootkit design

    This article by F-Secure describes one of the most advanced root kit design.  With kernel mode networking API hooks it even has the potential to compromise SSL based security.

    http://www.f-secure.com/weblog/archives/archive-022006.html#00000821

    QUOTE:  Haxdoor is one of the most advanced rootkit malware out there. It is a kernel-mode rootkit, but most of its hooks are in user-mode. It actually injects its hooks to the user-mode from the kernel -- which is really unique and kind of bizarre.  We took a careful look at Backdoor.Win32.Haxdoor.gh (detection added 31 Jan, 2006). It hooks HTTP functionality, redirects traffic, steals private information, and transmits the stolen data to a web-server controlled by the attacker. Most (all?) online banks use SSL encrypted connections to protect transmissions. If Haxdoor would hook networking functionality in the kernel, it would have hard time phishing since the data would be encrypted. By hooking on a high-enough API level it is able to grab the data before it gets encrypted.

  • Bagle.DW - Disguised as Software Cracking program

    This new downloader version of Bagle pretends to be a software cracking program, but it attempts to download malicious content from the Internet.

    Bagle.DW - Disguised as Software Cracking program
    http://vil.nai.com/vil/content/v_138710.htm
    http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.dv.html

    W32/Bagle.dw is a trojan downloader that attempts to download and execute files from various compromised websites. As the website being communicated is normally controlled by the malware author, any files being downloaded can be remotely modified and the behavior of these new binaries altered - possibly with every user infection.

    At the time of writing this description, McAfee AVERT did not see the downloading of any files as they may have been moved or deleted at the remote site. W32/Bagle.dw that was mass spammed on February 25th, 2006.

  • Macromedia ShockWave Player ActiveX Installer Buffer Overflow

      A new vulnerability has been discovered for Macromedia's Shockwave player that occurs only during install processing. Never install any software by email as virus writers may try to exploit this new vulnerability.  Always install software directly from the vendors web site.

    Macromedia ShockWave Player ActiveX Installer Buffer Overflow
    http://secunia.com/advisories/19009/

    Description: The vulnerability is caused due to a boundary error in the Installer ActiveX control. This can be exploited to cause a stack-based buffer overflow via overly long values passed in two specific parameters to the control. Successful exploitation allows arbitrary code execution, but requires that the user is e.g. tricked into visiting a malicious web site that prompts the user to install Shockwave Player. The vulnerability has been reported in versions 10.1.0.11 and prior.

    Workaround: The vendor has reported that the vulnerability occurs only during the installation process, and no action needs to be taken by current users.

    Solution: Only install ShockWave Player directly from the vendor's web site.

  • Linux/UNIX - New version of Mare worm circulating

     

     

    UNIX_MARE.F Reported by Trend Micro

    ELF_MARE.E Reported by Trend Micro

     

    This executable Linux file (ELF) propagates by taking advantage of the XML-RPC for PHP Remote Code vulnerability.
  • Apple Mac OS System X - Critical Vulnerability and published Exploit

      Apple will most likely patch this vulnerability soon and Mac users should look for any System X updates.  Just as in the Windows environment, everyone needs to be careful of any suspicious email attachments, email URL links, or unfamiliar websites. 

    Apple Mac OS X Metadata Handling Remote Shell Execution Vulnerability
    http://www.frsirt.com/english/advisories/2006/0671
    http://secunia.com/advisories/18963/

    Description: The vulnerability is caused due to an error in the processing of file association meta data in ZIP archives (stored in the "__MACOSX" folder) and mail messages (defined via the AppleDouble MIME format). This can be exploited to trick users into executing a malicious shell script renamed to a safe file extension stored in a ZIP archive or in a mail attachment. This can also be exploited automatically via the Safari browser when visiting a malicious web site.

    Exploit: One exploit has been published and the code can be reviewed at the FrSIRT site

    Patches: None published so far

    Workarounds: Do not open files in archives or mail attachments originating from untrusted sources. The vulnerability can be mitigated by disabling the "Open safe files after downloading" option in Safari.

  • Microsoft Security updates for February 2006 - New Media Player exploits emerge

      Below are some new exploits MS06-05 and MS06-06 that emerged shortly after Microsoft's "Patch Tuesday" updates on Valentines Day.  Where malicious code is easy to develop by the bad guys, the timeframe for reverse engineering is moving from hours and days instead of a couple of weeks.  Please update your systems promptly if you haven't had a chance to do this yet.

    FOUR NEW EXPLOITS FROM FEBRUARY UPDATES - from FrSIRT's website:

    2006-02-17 : Microsoft Windows Media Player 10 Plugin Remote Code Execution Exploit (MS06-006)
     
    2006-02-17 : Microsoft Windows Media Player 9 Plugin Remote Code Execution Exploit (MS06-006)
     
    2006-02-16 : Microsoft Windows Media Player BMP Handling Buffer Overflow Exploit (MS06-005) #2
     
    2006-02-15 : Microsoft Windows Media Player BMP Handling Buffer Overflow Exploit (MS06-005)



      Microsoft Security Bulletin Summary for February, 2006
    http://www.microsoft.com/technet/security/bulletin/ms06-feb.mspx
  • MS06-005 proof of concept exploit released

    MS06-005 proof of concept exploit released
    http://www.incidents.org/diary.php?storyid=1126

    QUOTE: The proof of concept exploit for MS06-005 has been released. The exploit craft a malicious BMP file to perform buffer  overflow in Media Player. Keeping in mind as Microsoft has pointed out that the exploiting factor can include other graphics file as well (such as .wmp), it's a good idea to get it patched ASAP.

  • New Bagle Virus - Olympic-themed variant

      The social engineering approach used by this latest version of the Bagle virus continues to prove that “if it's too good to be true, then it's not.  It's always beneficial to avoid opening any suspicious attachment or URL link.

    New Bagle Virus - Olympic-themed variant
    http://www.f-secure.com/weblog/archives/archive-022006.html#00000809
    http://vil.nai.com/vil/content/v_138528.htm

    Example
    http://vil.nai.com/images/138528b.JPG

  • Windows ACL Privilege Escalation - New Exploit Developed

    System administrators should review this exposure carefully if they are using older versions of XP.  Moving to XP SP2 is beneficial as it offers a number of security improvements.  Companies should test their applications to ensure they are compliant as the stricter levels of security could create issues for poorly written applications.  Still, upgrading to SP2 is worthwhile and goes smoothly in most cases. 

    Microsoft Windows Service ACLs Local Privilege Escalation Vulnerability
    http://www.frsirt.com/english/advisories/2006/0417

    Technical Description: A vulnerability has been identified in Microsoft Windows, which could be exploited by malicious users to obtain elevated privileges. This flaw is due to insecure default access controls where the "Authenticated Users" group is granted permissions to modify Simple Service Discovery Protocol (SSDP) and Universal Plug and Play Device Host (UPnP) service configurations, which could be exploited by local unprivileged attackers to change the default binary that is associated with an affected service and execute malicious programs with elevated privileges.

    Solution: Upgrade to Microsoft Windows XP SP2 or Microsoft Windows Server 2003 SP1, or change the default ACLs:

    http://www.microsoft.com/technet/security/advisory/914457.mspx

  • Sun Java - Security Release for critical vulnerabilities

      Users with Sun Java installed should update their systems to protect their brower and PC environment from malicious websites that could affect security controls.

    Sun Java Runtime Environment Sandbox Security Bypass Vulnerabilities
    http://www.frsirt.com/english/advisories/2006/0467

    Advisory ID : FrSIRT/ADV-2006-0467
    Rated as : Critical
    Remotely Exploitable : Yes
    Locally Exploitable : Yes
    Release Date : 2006-02-08

    Technical Description: Seven vulnerabilities were identified in Sun Java JRE (Java Runtime Environment), which could be exploited by malicious web sites to compromise a vulnerable system. These flaws are due to errors in the "reflection" APIs, which could be exploited by attackers to read, write, and execute arbitrary files by convincing a user to visit a specially crafted web page containing a malicious applet.

    Affected Products
    JDK 5.0 Update 4 and prior
    JRE 5.0 Update 4 and prior
    SDK 1.4.2_09 and prior
    JRE 1.4.2_09 and prior
    SDK 1.3.1_16 and prior
    JRE 1.3.1_16 and prior

    Solution:

    JDK and JRE 5.x - Upgrade to JDK and JRE 5.0 Update 6 :
    http://java.sun.com/j2se/1.5.0/download.jsp

    SDK and JRE 1.4.x - Upgrade to SDK and JRE 1.4.2_10 :
    http://java.sun.com/j2se/1.4.2/download.html

    SDK and JRE 1.3.x - Upgrade to SDK and JRE 1.3.1_17 :
    http://java.sun.com/j2se/1.3/download.html

    Reference
    http://sunsolve.sun.com/search/document.do?assetkey=1-26-102171-1

  • Safer Internet Day 2006

    The following are links related to "Safer Internet Day".  This is a good initiative in providing security awareness for home users.

    Europe's Internet safety information resource
    http://www.saferinternet.org/ww/en/pub/insafe/index.htm

    Internet Safety Home Page
    http://www.saferinternet.org/ww/en/pub/insafe/safety.htm

    QUOTE: 'Safer Internet Day', the initiative is designed to raise awareness of cyber threats. The target audience in this case, however, isn't the corporate IT-type, but users, specifically targeting parents and children. This year's Safer Internet Day attempts to ride on the coattails of success of blogging and will distribute its message using exactly the same vehicle.

    Activities
    Blogging
    Chat
    Instant Messaging
    Mobiles
    Online gaming
    Online shopping 
     
    Issues
    Cyberbullying
    Gambling
    Gaming
    Hate speech / racism
    Privacy
    Phishing
    Spam
    Spyware
    Virus
     
    Useful Info
    SAFT guide for parents
    Council of Europe Handbook
    To surf in safe waters
    Insafe newsletter

  • CAIDA - An Excellent Analysis of Blackworm's Impact

    This is some of the best documentation I've seen in providing a comprehensive analysis for a major new virus.  The link below from CAIDA is chockful of charts, graphs, and facts.  I'm glad that actual damages for the payload triggered on February 3rd were significantly less than predicted.  

    CAIDA -- The Nyxem Email Virus: Analysis and Inferences
    http://www.caida.org/analysis/security/blackworm/

  • Microsoft HTML Workshop product - New unpatched vulnerability & POC exploit

    This development tool is part of an SDK that can help Client/Server or web developers in authoring help screens for applications.  This unpatched exploit is rated moderately critical and an exploit has been published.

    Microsoft HTML Help Workshop "hhp" File Handling Buffer Overflow Issue
    http://secunia.com/advisories/18740/
    http://www.frsirt.com/english/advisories/2006/0446

    Rated as : Moderate Risk
    Remotely Exploitable : Yes
    Locally Exploitable : Yes
    Release Date
    : 2006-02-06

    Exploits: POC exploit published at FrSIRT's site

    Affected Products: Microsoft HTML Help Workshop version 4.74.8702.0 and prior

    Solution:  Do not open untrusted ".hhp" files, as an there are no officially supplied patch for this issue yet.

    Technical Description: A vulnerability has been identified in Microsoft HTML Help Workshop, which could be exploited by attackers to execute arbitrary commands. This flaw is due to a buffer overflow error when processing a specially crafted ".hhp" file containing an overly long "Contents file" field, which could be exploited by remote attakers to compromise a vulnerable system by convincing a user to open a malicious ".hhp" file.

  • The Family PC -- How to stay safe on the Internet.

      As parents, we have concerns on Internet safety for all of our family members.  This morning I spent some time gathering some of the best published resources out there.  Most of these are non-technical and easy-to-understand.

    Security is a two part process.  Part one is the technical protection associated with anti-virus software, firewalls, Windows Updates, Anti-Spyware, etc.  Part two is in the human behavior aspects, where security can be seen as SEC-U-R-IT-Y.  The "U-R-IT" part means that "You are it".  While the bad guys are the source of the problem, so is ignoring the risk.  For example, if you ignore speed limit or stop signs on the highway, you'll run into trouble.  It's the same way with computer security.

    The best advice I have for parents is "To Teach your Children well". Spend quality time with family members teaching them to avoid email/IM attachments and URLs, recognizing spam (there are no free lunches out there), and most importantly the bad people on the Internet (e.g., predators - which thankfully law enforcement is on the lookout for).  The knowledge of Internet risks and how to avoid them is as important as the technical safeguards we employ on our family PCs.

    Below are some resources that might help:
     

    SEARCH ENGINES -- There are numerous resources of good pages in google, MSN, or other search engines:

    http://www.google.com/search?&q=how+to+stay+safe+on+Internet
    http://search.msn.com/results.aspx?q=how+to+stay+safe+on+Internet


    GREAT FAMILY PROTECTION LINKS -- I particularly liked these for both children and in fact it applys to all home users:

    http://www.staysafe.org/
    http://www.sass.ca/safe.htm
    http://www.safekids.com/
    http://www.safeteens.com/safeteens.htm
    http://www.bettybookmark.com/i/internetsafety.htm
    http://www.staysafeonline.info/
    http://www.chaminade.org/MIS/WebSafety/30ways.htm
    http://www.dhs.gov/dhspublic/display?theme=76&content=336
    http://familyinternet.about.com/cs/internetsafety1/a/aa8safesteps.htm
    http://www.wiredsafety.org/
    http://www.bbc.co.uk/cumbria/features/2004/03/internet_safety/index.shtml
    http://www.bcentral.co.uk/technology/security/stay-safe-online.mspx
    http://www.haltabuse.org/resources/online.shtml
    http://www.hubbardtwppd.org/Homeland/online.htm


    SAFETY QUIZ -- Below is a 10 question Internet safety quiz that your family members can take in just a couple of minutes:

    http://www.iol.ie/~dromore/safety/quiz/quiz.htm


    OTHER GREAT RESOURCES - I've always liked the work done by MS "at home", CERT, and Kim Komando:

    http://www.microsoft.com/athome/security/default.mspx
    http://www.cert.org/tech_tips/home_networks.html
    http://www.komando.com/

  • British Government - Virus Protection Guidelines

    This is an older Best Practices guideline I found while researching that was issued a few years ago.  Most of this is still relevant today.

    TEXT -- HOW TO PROTECT YOURSELF AND YOUR COMPANY FROM COMPUTER VIRUSES

    PDF -- HOW TO PROTECT YOURSELF AND YOUR COMPANY FROM COMPUTER VIRUSES

  • Internet Storm Center Article: Recovering LOST files from a hardrive

    Backups are always beneficial and as CD media is inexpensive, I usually make double copies which are tested in another PC. 

    The Blackworm (CME-24) payload included capabilities to delete several types of documents and files.  Usually, the best “undelete“ tools or services aren't free and these links can provide starting points.

    Internet Storm Center Article: Recovering LOST files from a hardrive
    http://www.incidents.org/diary.php?storyid=1096

    QUOTE: First if at all possible TURN off the computer and put the infected drive on another system that is not infected. If for one reason or another you can not you should cosider one of the cdrom or floppy based recovery systems and an extra drive. You should preform recovery to a different filesystem then the one being recovered from other wise you risk overwriting some files as you recover others.  Be aware some companies offer demos that identifies "lost" files but doesn't save the files it finds.

  • Blackworm (CME 24) - Some Damage, but not as widespread as predicted

    It may also take a couple of days for damage to show up and to collect any meaningful statistics.  Our local news reported that some folks got hit in our metropolitan area of 250,000 residents.  It was reported that one local PC company was charging $100 to repair systems, so this had an impact on home users. 

    So far, in monitoring news sources, the overall damage was less than anticipated.  I've always been an advocate of security awareness, as it's important to know how malicious individuals can attack.  If there were over-exaggerations by the media it was helpful, as folks took got extra measures in preparation, updating and backing up their data.    

    Below is a cut/paste of Google News headlines, which is good news so far:
     
    GOOGLE NEWS HEADLINES - February 3, 2006

    Weekend Will Tell Kama Sutra Tale
    InformationWeek, NY - 2 hours ago
    Because most still-infected computers belong to home
    users, the real scale of any data loss caused by the
    Kama Sutra worm may not be known until early next week
    ...
     
    All quiet on the Nyxem front
    VNUNet.com, Netherlands - 2 hours ago
    Anti-virus companies are seeing very damage from the
    Nyxem.E worm that was scheduled to start overwriting
    data on infected systems earlier today. ...
     
    Researchers fear confusion on worm name
    Seattle Post Intelligencer - 3 hours ago
    By ANICK JESDANUN. NEW YORK -- Friday's
    file-destroying worm goes by "Mywife" at Microsoft
    Corp. and McAfee Inc., "Blackmal" at Symantec Corp.
    and CA Inc. ...
     
    Experts: 'Hype' May Have Mitigated Worm
    Houston Chronicle, United States - 4 hours ago
    By ANICK JESDANUN AP Internet Writer. — Companies
    and individuals heeded this week's warning _ some may
    call it "hype" _ about ...
     
    Was the Kama Sutra worm overhyped?
    CNET News.com, CA - 4 hours ago
    The Kama Sutra worm, like so many other virus scares,
    reminds us and other bloggers of the Y2K mania, albeit
    on a smaller scale. ...
     
    Worm Attack Fizzles Out
    Red Herring, CA - 4 hours ago
    A computer worm dubbed Kama Sutra and other names
    infected thousands of machines but failed to cause any
    significant loss of data. ...
     
     Kama Sutra worm hits home
    CNN - 9 hours ago
    By Marsha Walton. ATLANTA, Georgia (CNN) -- Many
    computer users around the globe apparently heeded the
    warnings about a worm with ...
     
    Kama Sutra virus causes little damage
    Boston Globe, United States - 9 hours ago
    A man is seen in front of a display of computers in an
    undated file photo. A computer virus that was designed
    to start its malicious ...
     
    Kama Sutra assumes damp squid position
    Inquirer, UK - 9 hours ago
    THE MUCH HYPED Kama Sutra worm tipped to wreak a trail
    of destruction in its wake appears to have instead has
    raised hardly a whimper never mind a scream. ...
     
    Update 4: File-Destroying Worm Causes Little Damage
    Forbes - 10 hours ago
    By ANICK JESDANUN , 02.03.2006, 09:26 AM. A
    file-destroying computer worm set to activate Friday
    caused relatively little damage ...
     
    File-destroying worm causes little damage
    BusinessWeek - 11 hours ago
    FEB. 3 8:43 AM ET A file-destroying computer worm set
    to activate Friday caused relatively little damage
    during the business day ...
     
    Kama Sutra worm threat goes soft
    CNET News.com, CA - 11 hours ago
    The Kama Sutra worm, designed to begin deleting files
    on infected computers this morning, has caused
    virtually no damage, according to antivirus firms. ...

     
    Feared computer worm not so scary in Asia
    CTV.ca, Canada - 11 hours ago
    Computer users on this side of the continent must be
    crossing their fingers as they boot up, but there have
    been no reports of any damage from a malicious worm
    ...
     
    Asia Escapes File-Destroying Worm
    CBS News - 11 hours ago
    (CBS/AP) A computer worm expected to begin corrupting
    files in infected machines around the world Friday
    caused no major damage in the Asian financial centers
    ...
     
    Computer worm doesn't bite in Hong Kong, Tokyo
    USA Today - 11 hours ago
    By Sylvia Hui, Associated Press. HONG KONG — A
    computer worm expected to begin corrupting files in
    infected machines around the ...
     
    Free Removal Tools Released as 'Blackworm' Approaches
    PC Magazine - 12 hours ago
    With the clock ticking on a Feb. 3 D-Day for the
    activation of the destructive 'Blackworm' worm
    payload, anti-virus vendors are ...
     
     'Limited' damage from Nyxem virus
    BBC News, UK - 13 hours ago
    The Windows virus was set to start deleting popular
    file types on 3 February and was known to have
    infected more than 300,000 machines. ...
     
    Kama Sutra virus fizzles in Japan, Hong Kong
    CBC News, Canada - 13 hours ago
    Computer security firms were bracing for a computer
    virus on Friday expected to corrupt files on thousands
    of computers. But early ...
     
    Humanity survives Kama Sutra apocalypse
    Register, UK - 14 hours ago
    Security watchers reckon the Kama Sutra worm, which is
    programed to overwrite files on infected Windows PCs
    today, will have a damaging but not catastrophic ...
     
    File-destroying worm causes no major damage so far in
    Hong Kong ...
    Calgary Sun, Canada - 15 hours ago
    By SYLVIA HUI. HONG KONG (AP) - A computer worm
    expected to begin corrupting files in infected
    machines around the world Friday has ...
     
    Kama Sutra quiet so far
    NEWS.com.au, Australia - 20 hours ago
    AUSTRALIAN IT security professionals have so far
    reported few problems from the so-called Kama Sutra
    worm, which was due to begin overwriting files on
    infected ... 

  • Mozilla Firefox - New 1.5.0.1 release addresses several security issues

       All users should update to the latest version of Mozilla Firefox, as several recently discovered security issues have been addressed by this latest release. 

    http://secunia.com/advisories/18700/ 

    Summary of Security Issues Fixed

    Description:  Multiple vulnerabilities have been reported in Firefox, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, potentially disclose sensitive information, and potentially compromise a user's system.

    1) Some errors in the JavaScript engine where certain temporary variables are not properly protected may be exploited to execute arbitrary code via a user-defined method triggering garbage collection.

    2) An error in the dynamic style handling can be exploited to reference freed memory by changing the style of an element from "position:relative" to "position:static".

    3) An error in the "QueryInterface" method of the Location and Navigator objects can be exploited to cause a memory corruption.

    4) An input validation error in the processing of the attribute name when calling "XULDocument.persist()" can be exploited to inject arbitrary XML and JavaScript code in "localstore.rdf", which will be executed with the permissions of the browser the next time the browser starts up again.

    5) Some integer overflows in the E4X, SVG, and Canvas functionalities may be exploited to execute arbitrary code.

    6) A boundary error in the "nsExpatDriver::ParseBuffer()" function in the XML parser may be exploited to disclose data on the heap.

    7) The internal "AnyName" object of the E4X functionality is not properly protected. This can be exploited to create a communication channel between two windows or frames having different domains.

    Solution: 

    Update to version 1.5.0.1.
    http://www.mozilla.com/firefox/

    Additional CVE References

    CVE-2005-4134
    CVE-2006-0292
    CVS-2006-0293
    CVE-2006-0294
    CVE-2006-0295
    CVE-2006-0296
    CVE-2006-0297
    CVE-2006-0298
    CVE-2006-0299

  • New Bagle.DP Variant - "February Price" theme

    While most companies can effectively block this, it may be tough in cases where ZIP attachments are allowed and AV signature files haven't been published yet. The golden rule is to never open attachments.

    New Bagle.DP Variant - "February Price" theme
    http://secunia.com/virus_information/26794/bagle.dp/
    http://vil.nai.com/vil/content/v_138366.htm

    EMAIL FORMAT TO BLOCK OR AVOID

    From: [SPOOFED]

    Subject: price, February price

    Message body: price, February price

    Attachment:
    price.zip
    pricelst.zip
    pricelist.zip
    price_lst.zip
    new_price.zip
    21_price.zip
    February price.zip
    February_price.zip
  • Unpatched Windows SSDP/UPnP local vulnerability & POC Exploit

    Thankfully, this new vulnerability is not remotely exploitable 

    Microsoft Windows SSDP and UPnP Services Privilege Escalation Issue
    http://www.frsirt.com/english/advisories/2006/0417

    Advisory ID : FrSIRT/ADV-2006-0417
    CVE ID : GENERIC-MAP-NOMATCH
    Rated as : Moderate Risk
    Remotely Exploitable
    : No
    Locally Exploitable : Yes
    Release Date : 2006-02-02

    EXPLOIT: POC exploit code can be found at FrSIRT

    Technical Description: A vulnerability has been identified in Microsoft Windows, which could be exploited by malicious users to obtain elevated privileges. This flaw is due to an access validation in the Simple Service Discovery Protocol (SSDP) Discovery and the Universal Plug and Play Device Host (UPnP) services that fail to properly validate user permissions, which could be exploited by local unprivileged attackers to bypass security restrictions and execute malicious programs with elevated privileges.

Powered by Community Server (Commercial Edition), by Telligent Systems