Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] Zango Adware - Insecure Auto-Update and File Execution

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] Zango Adware - Insecure Auto-Update and File Execution
Date: 14 May 2006 19:09:55 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Zango Adware - Insecure Auto-Update and File Execution
------------------------------------------------------------------------


SUMMARY

" <http://www.zangocash.com/faq/> ZangoCash (formerly LOUDcash) is 
recognized around the world as one of the best pay-per-install affiliate 
programs on the Internet."

Zango Adware does not authenticate in any way the automatic updates it 
pulls. This allows an attacker to inject malicious code.

DETAILS

After the acknowledgment of an License Agreement, during Startup, the 
bundled EXE contacts several servers and downloads the required Adware 
components. The downloaded components are not checked for integrity or 
authenticity and are executed as soon as they are downloaded.

The following procedures are exploitable :
 * Initial Install
 * Auto-Update function

The condition is exploitable in the following scenarios:
1. You have legitimate control over the DNS server
2. You have compromised a DNS server
3. You forge a cache poisoning attack against a vulnerable DNS server
4. You have access to the machine and change the HOST file

Redirecting the hostname "static.zangocash.com" to an IP address under 
your Control and creating the respective V-host allows you to install any 
type of executable on the machine where zango is being installed or 
currently is installed, in other words: You could potentially compromise 
an internal network of a company if Zango is installed on workstations (or 
servers - this was also observed by the author) and one of the 4 
aforementioned conditions are met.

Especially the auto update function is a problem, imagine a DNS server not 
a split setup) is compromised or cache-poisoned, every workstation with 
Zango installed inside the company can be immediately compromised as the 
Workstation tries to automatically download an update of Zango and fails 
to realize that instead of Zango it downloads and executes a 
Rootkit/Backdoor/"put anything here".


Vendor Response:
Vendor contact : 01/02/2006
Vendor Response : 05/02/2006

No official statement, first I was asked to remove the web page, then I 
was allowed to keep it online, I was not given permission to disclose the 
conversations that took place. I will respect the rights of 0180 
Solutions.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:Thierry@zoller.lu> Thierry 
Zoller.
The original article can be found at:  
<http://secdev.zoller.lu/research/zango.htm> 
http://secdev.zoller.lu/research/zango.htm



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] Zango Adware - Insecure Auto-Update and File Execution, SecuriTeam <=
Previous by Date:  [NT] Where Is It unacev2.dll Buffer Overflow, SecuriTeam
Next by Date:  [NT] UltimateZip unacev2.dll Buffer Overflow, SecuriTeam
Previous by Thread:  [NT] Where Is It unacev2.dll Buffer Overflow, SecuriTeam
Next by Thread:  [NT] UltimateZip unacev2.dll Buffer Overflow, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]