MWR InfoSecurity Advisory. Interwoven Worksite ActiveX Control Remote Code Execution. 10 th March 2008. Contents



Similar documents
MWR InfoSecurity Security Advisory. Symantec s Altiris Deployment Solution File Transfer Race Condition. 7 th January 2010

MWR InfoSecurity Security Advisory. BT Home Hub SSID Script Injection Vulnerability. 10 th May Contents

MWR InfoSecurity Security Advisory. pfsense DHCP Script Injection Vulnerability. 25 th July Contents

風 水. Heap Feng Shui in JavaScript. Alexander Sotirov.

Bypassing Memory Protections: The Future of Exploitation

Pre-Requisites: PC and Browser Configuration Guide v1.3

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

System Manager Installation Guide

Using Windows Update for Windows 95/98

Custom Penetration Testing

Date: 9/19/2013 Windows Server 2003 EndoWorks 7 Windows Updates Description Tested Pass/Fail Date

Remote Terminal Service (RTS) User Guide (Version 2.1)

Recommended Practice Case Study: Cross-Site Scripting. February 2007

Remote Access to Niagara Wheatfield s Computer Network

Quarantine Network for Specialised Equipment.

Using Windows Update for Windows XP

Citect and Microsoft Windows XP Service Pack 2

Software Vulnerability Exploitation Trends. Exploring the impact of software mitigations on patterns of vulnerability exploitation

Using Windows Update for Windows Me

Penetration Test Report

Microsoft Security Bulletin MS Important

Unix Security Technologies. Pete Markowsky <peterm[at] ccs.neu.edu>

Firefox, Opera, Safari for Windows BMP file handling information leak. September Discovered by: Mateusz j00ru Jurczyk, Hispasec Labs

Be Prepared for Java Zero-day Attacks

Software security. Buffer overflow attacks SQL injections. Lecture 11 EIT060 Computer Security

Accessing the Mercy Remote Access Portal (SSL VPN)

APPLETS AND NETWORK SECURITY: A MANAGEMENT OVERVIEW

NNT CIS Microsoft SQL Server 2008R2 Database Engine Level 1 Benchmark Report 0514a

The Leader in Cloud Security SECURITY ADVISORY

WEB ATTACKS AND COUNTERMEASURES

The evolvement of the Threat Landscape. Viktor Ziegler, Account Manager Germany & Eastern Europe March 2014

IOActive Security Advisory

Windows Phone 7 Internals and Exploitability

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

WebView addjavascriptinterface Remote Code Execution 23/09/2013

Practical Exploitation Using A Malicious Service Set Identifier (SSID)

============================================================= =============================================================

User Guide Microsoft Exchange Remote Test Instructions

HP Client Automation Standard Fast Track guide

Date: 08/18/2015 Windows 2008R2 SP1 EndoWorks 7.4 Windows Updates Description Tested Pass/Fail Date

Information Services. Accessing the University Network using a Virtual Private Network Connection (VPN), with Windows XP Professional

Introduction to Computer Security

Defense in Depth: Protecting Against Zero-Day Attacks

What is Web Security? Motivation

Hotpatching and the Rise of Third-Party Patches

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

Accessing your Staff (N and O drive) files from off campus

UserLock vs Microsoft CConnect

HTC Windows Phone 7 Arbitrary Read/Write of Kernel Memory 10/11/2011

Faking Extended Validation SSL Certificates in Internet Explorer 7

2. Installing GFI LANguard Network Security Scanner

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

REMOTE ACCESS SERVICE SUPPORT. ICR User Support Guide

Web Application Report

RSA SecurID Ready Implementation Guide

Connecting to securevirtual Workspace

Charter Business Desktop Security Administrator's Guide

Tracking Anti-Malware Protection 2015

Intellex Platform Security Update Process. Microsoft Security Updates. Version 06-10

Bypassing Browser Memory Protections in Windows Vista

PC Requirements and Technical Help. Q1. How do I clear the browser s cache?

Virtualization System Security

Release Notes for Websense Security v7.2

Networks and Security Lab. Network Forensics

ANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details

Como configurar o IIS Server para ACTi NVR Enterprise

Jordan University of Science and Technology

Common Cybersecurity Vulnerabilities in Industrial Control Systems. May 2011

Remote Access Using The New York Eye & Ear Infirmary of Mount Sinai Secure Web VPN

Skeletons in Microsoft s Closet - Silently Fixed Vulnerabilities. Andre Protas Steve Manzuik

AN OVERVIEW OF VULNERABILITY SCANNERS

Remote Deposit Capture Installation Guide

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Web UTAS. Common problems and solutions. Common problems with Java settings. Ensuring that you have the correct Java settings in place

How to Use Remote Access Using Internet Explorer

Federated Identity Service Certificate Download Requirements

TECHNICAL NOTE. The following information is provided as a service to our users, customers, and distributors.

Outlook Anywhere Local Client Setup Instructions

Intellex Platform Security Update Process. Microsoft Security Updates. Version 11-12

Xopero Centrally managed backup solution. User Manual

Nessus scanning on Windows Domain

Common Security Vulnerabilities in Online Payment Systems

Security Research Advisory IBM inotes 9 Active Content Filtering Bypass

To install Multifront you need to have familiarity with Internet Information Services (IIS), Microsoft.NET Framework and SQL Server 2008.

Maximizing Performance on Cognos, Workflow, and BDMS

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

Background (

Network Threats and Vulnerabilities. Ed Crowley

Remote Desktop access via Faculty Terminal Server Using Internet Explorer (versions 5.x-7.x)

Lectures 9 Advanced Operating Systems Fundamental Security. Computer Systems Administration TE2003

Security Implications of Windows Access Tokens A Penetration Tester s Guide. Luke Jennings. 14 th April MWR InfoSecurity Page 1 of 29

Step-by-Step Guide to Securing Windows XP Professional with Service Pack 2 in Small and Medium Businesses

How To Set Up A Macintosh With A Cds And Cds On A Pc Or Macbook With A Domain Name On A Macbook (For A Pc) For A Domain Account (For An Ipad) For Free

Streamlining Web and Security

Click to begin. Maitre'D Full System Backup & Restore

Patching the Windows 2000 Server Operating System on S8100 Media Servers, IP600 Communications Servers, & DEFNITY ONE Communications Systems

Microsoft Security Bulletin MS Critical

Securing your Virtual Datacenter. Part 1: Preventing, Mitigating Privilege Escalation

Setting Up a Windows Virtual Machine for SANS FOR526

Centralized Auditing in Windows Derek Melber

Transcription:

Contents MWR InfoSecurity Advisory Interwoven Worksite ActiveX Control Remote Code Execution 10 th March 2008 2008-03-10 Page 1 of 9

Contents Contents 1 Detailed Vulnerability Description...5 1.1 Introduction...5 1.2 Technical Background...5 1.3 Vulnerability Details...5 1.4 Vulnerability Impact...6 1.5 Exploit Information...6 1.6 Dependencies...7 2 Recommendations...8 3 Further Information...8 2008-03-10 Page 2 of 9

Interwoven WorkSite ActiveX Control Remote Code Execution Interwoven WorkSite ActiveX Control Remote Code Execution Package Name: Interwoven Worksite Date: 7 th November 2007 Affected Versions: Web TransferCtrl Class 8,2,1,4 (within imanfile.cab) CLSID:4BECECDE-E494-4f69-A3DE-DA0B77726307 CVE Reference CVE-2008-1617 Author J Fitzpatrick Severity High Risk Local/Remote Remote Vulnerability Class Remote Code execution Vendor Response Interwoven have addressed this in their latest service pack. Exploit Details Yes (although exploit code has been omitted) Included Versions Affected Web TransferCtrl Class 8,2,1,4 CLSID:4BECECDE-E494-4f69-A3DE-DA0B77726307 Affected OS All supported Operating Systems Timeline: Vulnerability Reported 2007-11-07 to vendor Vendor Patch Released 2008-01-29 Advisory Released 2008-03-10 Overview: Worksite is a document management and email management solution from Interwoven Inc (Interwoven). Some of the functionality of the application is made available through ActiveX controls which are distributed within the imanfile.cab file. The ActiveX controls were found to be unsafe and permit code to be executed remotely by an attacker who is able to direct a user to a website containing exploit code. Impact: The most serious of these vulnerabilities could enable an attacker to execute arbitrary code on a user s computer remotely. This code would be executed with the permissions of the user logged into the system. However, other vulnerabilities are present. For more information refer to the Additional Vulnerability information section. Cause: 2008-03-10 Page 3 of 9

Interwoven WorkSite ActiveX Control Remote Code Execution The remote code execution arises due to the ActiveX control incorrectly maintaining a reference to a JavaScript variable. This results in a double free, which can be exploited in order to execute arbitrary code. Solution: Interwoven have incorporated a fix for these issues into their latest service pack. Further information can be found in section 2. Additional Vulnerability information: A DOS vulnerability was also been identified within the control with the CLSID as follows: C209367E-F2F1-497f-B990-08761195DAF1 This was found to be vulnerable to a DOS through resource consumption. The SendNrlLink opens an email composition window which can easily be called multiple times resulting in all available resources being consumed. 2008-03-10 Page 4 of 9

Detailed Vulnerability Description 1 Detailed Vulnerability Description 1.1 Introduction Interwoven WorkSite provides a platform that supports geographically dispersed teams with project pages where they can create content, collaborate, and coordinate business-critical activities. Source: http://www.interwoven.com/components/page.jsp?topic=worksite::profserv Worksite provides web capabilities, integrates with Microsoft Office applications, and provides email management and other facilities providing a comprehensive collaborative platform. The vulnerabilities identified within this report were identified through use of the web interface only. 1.2 Technical Background Some aspects of WorkSite require an ActiveX control to be installed in the user s web browser. On using the applications web capabilities the user is prompted to install a control which increases functionality. This is distributed within the file imanfile.cab. The CSLIDs of the vulnerable control is listed here: 4BECECDE-E494-4f69-A3DE-DA0B77726307 Against Microsoft s guidance on designing secure ActiveX controls 1 these have been registered as safe for scripting and so are accessible by any website visited by a user with the control installed. These vulnerabilities could therefore be exploited by any website posing a very high risk to any users of the WorkSite application. 1.3 Vulnerability Details This control incorrectly uses a JavaScript variable rather than creating its own copy which later results in a double free which could be exploited. The vulnerability was found to be present in the ActiveX objects Server method which can be called with the following JavaScript: <object id='target' classid="clsid:4bececde-e494-4f69-a3de-da0b77726307"></object> <script> var obj = document.getelementbyid('target'); obj.server = value ; </script> In order to exploit this vulnerability heap spraying could be used in order to gain some control over the heap into which shellcode can then be placed. The unlink operation which 1 http://msdn2.microsoft.com/en-us/library/aa752035.aspx 2008-03-10 Page 5 of 9

Detailed Vulnerability Description occurs on a call to free() could then be exploited in order to gain a four byte write and used to overwrite the return address directing the path of execution to the shellcode. 1.4 Vulnerability Impact The successful exploitation of this vulnerability would result in remote code execution or a denial of service condition for the user. In the worst case an attacker could exploit this vulnerability in order to take full control of a user s computer through exploiting this vulnerability. 1.5 Exploit Information The exploit developed by MWR InfoSecurity uses heap spraying in order to gain some control over the heap and then manipulates the unlinking operation which occurs when memory is freed in order to direct the path of execution to our shellcode. By filling up the heap with data we eventually reach some valid memory where our shellcode can sit and execute. We perform this action in the JavaScript below by filling the heap with data and then filling the higher memory with our shellcode and a nop sled in order to increase chances of hitting the shellcode. A sample of the code to do this is given here:- var ar = new Array(); function spray() { while(data.length<100000) data+=data; for(var x=0; x<512; x++) ar.push(data+"x") CollectGarbage(); while(nop.length<99900) nop+=nop; for(var x=0; x<150; x++) ar.push(nop+shellcode) CollectGarbage(); } spray(); The next step is to actually exploit the double free. To do this we need to allocate the memory on the heap. A cache of freed memory is maintained and allocations will come from here in the first instance. In order to maintain control over the memory allocations it is important that the allocations are made on the heap and not from the cache of freed memory. A technique for achieving this can be found in Alexander Sotirov s paper entitled Heap Feng Shui in JavaScript. Also it is important that we don t simply allocate a new string literal as this does not create a copy of the string. Concatenation ensures that strings are allocated on the heap:- var str1=str+s; The affected method within this ActiveX control is the Server method. str1=str+s; obj.server=str1; str1=obj.server; str1=0; 2008-03-10 Page 6 of 9

Detailed Vulnerability Description We set this to one of the strings and obj.server now maintains a reference to some memory containing our data. By then assigning str1 the value 0 the location in memory holding the data str1 originally referenced becomes freed however obj.server still maintains its reference to this memory. In order to exploit the double free we first create two strings allocated side by side on the heap and give the ActiveX control a reference to them through the Server method. Next we free these objects from memory; however, the ActiveX control continues to maintain a reference to these now free memory locations. Next we need to write our own data to these memory locations which have just been freed but are still referenced by the ActiveX object. By making a new heap allocation we can get an allocation at these addresses and so place data in memory on top of the previous first allocation and such that it overwrites the control structure of the second allocation. Now when the ActiveX object looses its reference to the already freed string it gets freed a second time. However, in this second free the data in the control structure for this memory has been overwritten allowing us to manipulate the unlinking process and obtain a 4 byte write. Using this 4 byte write we can direct the path of execution towards our shell code. Using this technique MWR InfoSecurity have constructed working proof of concept code for this vulnerability. However, the code will not be released into the public domain at present. The decision to release such code in the future will be taken based on MWR InfoSecurity s obligations to protect its customers and Critical National Infrastructure (CNI) whilst also enabling the security community to accurately assess the vulnerability of systems running the software. 1.6 Dependencies In order for an attacker to exploit these vulnerabilities they must direct a user to a website containing malicious code, this could be done through a phishing link, XSS or other means. 2008-03-10 Page 7 of 9

Recommendations 2 Recommendations Interwoven have addressed this issue in their latest Service Pack: WorkSite Web 8.2 SP1 P2 This is available through the Interwoven support site located at: http://worksitesupport.interwoven.com Additional Information It should be noted that this vulnerability affects an ActiveX control which is installed on an end user s PC when using the Worksite application rather than the servers hosting the application. As a result, any system with this control installed is vulnerable whether or not WorkSite is being used at the time. It is therefore important that the appropriate vendor supplied patches are applied to all PCs which may have this control installed. If access to WorkSite support is not available in order to apply these updates then it is strongly recommended that this control is removed. On a test system running windows XP with Internet Explorer 6.x. the affected control was located in the C:\WINDOWS\Downloaded Program Files directory with the CLSID {9F51E426-6EED- 11D3-80B8-00C04F610DBB}. It was possible to remove the control right clicking and selecting remove. 3 Further Information Further information on removing ActiveX controls can be found at the following location:- http://support.microsoft.com/kb/154850 Further information on designing secure ActiveX controls can be found at the following location:- http://msdn2.microsoft.com/en-us/library/aa752035.aspx 2008-03-10 Page 8 of 9

Interwoven WorkSite ActiveX MWR Control InfoSecurity Remote Code Execution St. Clement House 1-3 Alencon Link Basingstoke, RG21 7SB Tel: +44 (0)1256 300920 Fax: +44 (0)1256 844083 mwrinfosecurity.com 2008-03-10 Page 9 of 9

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information