Re: RadAsm <=2.2.1.5 Local Command Execution

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi ,
    I don't think this is a vulnerability. If this is a vulnerability,
Makefile is also a vulnerability. Do you think so?
   Regards


2008/12/8 <xhakerman2006@xxxxxxxxx>
>
> ------------------------------------------------------------------
> vulnerability discovered by DATA_SNIPER.
> bug discovred in 25/11/2008.
> infected version:All Version
> greetz go to:www.at4re.com(Arab Team 4 Reverse Engineering),arab4services.net
> Critical: Highly critical
> Impact:Command Execution
> ------------------------------------------------------------------
> this is litel POC that can execute arabitrary command in victime machine.
> in unexpected way the attacker can put in the project file ".rap file" command instead of the linker path or  Macro Assembler "ML.exe" path.
> project file look like this.
> " some data has been cuted for making it readable"
> -------------------------------------
> project file structure
> [Project]
> Assembler=masm
> Type=Win32 App
> ......datat
> [Files]
> 1=file.Asm
> .....data
> [MakeFiles]
> 5=CRC Check.exe
> [MakeDef]
> Menu=1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0
> 1=4,O,$B\RC.EXE /v,1 <==Command Execution by replacing the original file path with the command
> 2=3,O,$B\ML.EXE /c /coff /Cp /nologo /I"$I",2  <==Command Execution by replacing the original file path with the command
> 3=5,O,$B\LINK.EXE /SUBSYSTEM:WINDOWS /RELEASE /VERSION:4.0 /LIBPATH:"$L" /OUT:"$5",3,4 <==Command Execution by replacing the original file path with the command
> 4=0,0,,5
> 5=rsrc.obj,O,$B\CVTRES.EXE,rsrc.res <==Command Execution by replacing the original file path with the command
> 7=0,0,"$E\OllyDbg",5
> 6=*.obj,O,$B\ML.EXE /c /coff /Cp /nologo /I"$I",*.asm
> 11=4,O,$B\RC.EXE /v,1   <==Command Execution by replacing the original file path with the command
> 12=3,O,$B\ML.EXE /c /coff /Cp /Zi /nologo /I"$I",2   <==Command Execution by replacing the original file path with the command
> 13=5,O,$B\LINK.EXE /SUBSYSTEM:WINDOWS /DEBUG /VERSION:4.0 /LIBPATH:"$L" /OUT:"$5",3,4 <==Command Execution by replacing the original file path with the command
> data.....
> [Resource]
> data.....and more data.
> ----------------------------------------------------------------------
> as you see " <==Command Execution breplacing the original file name with the command" this mean, that type of data in the project it's  exploited as command execution by malicious people.
> and when the user try to compile the project will face the issue of executing bad command in his operating system.
[Index of Archives]     [Linux Security]     [Netfilter]     [PHP]     [Yosemite News]     [Linux Kernel]

  Powered by Linux