Full Disclosure mailing list archives
Acunetix WVS 5 improper file path handling (EoP)
From: <edi.strosar () varnostne-novice com>
Date: Mon, 25 Jun 2007 20:35:58 -0400
========================================================================= TeamIntell Security Advisory TISA2007-02-Public ------------------------------------------------------------------------- Acunetix WVS 5 improper file path handling ========================================================================= Release date: 25.06.2007 Severity: Moderately critical Impact: Privilege escalation Status: Official patch available Software: Acunetix WVS 5 Acunetix WVS 4 Tested on: Microsoft Windows 2000 SP4 Microsoft Windows XP SP2 Vendor: http://www.acunetix.com/ Disclosed by: Edi Strosar (TeamIntell) -------- Summary -------- The way Microsoft Windows handles filenames is well known and documented [1]. In situations where the path to executable contains white space and is not enclosed in quotation marks, it is possible to execute alternate application. This attack is commonly referred to as the "Program.exe trick". --------- Analysis --------- Acunetix Web Vulnerability Scanner (WVS) is an automated web application security testing tool. Acunetix WVS 4 and WVS 5 do not properly handle file names containing white spaces creating a condition where an attacker might be able to install arbitrary code as a file %SystemDrive%\program.exe. The arbitrary code would generally be executed under the privileges of the executing user but could also be launched with elevated privileges. Acunetix WVS Scheduler Service (WvSScheduler.exe) is executed in LocalSystem context and thus the vulnerable code will be executed in privileged LocalSystem context. ----------- Limitation ----------- 1.) Default permissions on Windows XP Professional prevent least-privileged users write access to %SystemDrive% and thus this attack must involve some form of social engineering or need to be combined with another attack to first get the arbitrary code installed in the correct location. 2.) Windows xP will alert user about "File name warning" while executing %SystemDrive%\program.exe. Attacker might circumvent this warning by setting registry key "HKCU\Software\Microsoft\Windows\CurrentVersion \Explorer\DontShowMeThisDialogAgain" value name "RogueProgramName" value data "NO". In any case, local services are executed before user registry keys, meaning that program.exe would be already executed when the warning appears. ----------------- Proof of concept ----------------- - copy program.exe to %SystemDrive% - restart the computer - login as least-privileged user - use whoami.exe [2] and enumerate user privileges Tested on Windows XP Professional sP2 and Windows 2000 Professional SP4. Download link: http://www.teamintell.com/advisories/TISA2007-02-Public.zip --------- Solution --------- Vendor has released Acunetix WVS Build v5.0.70621 which fixes this issue. ----------- References ----------- [1] http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/createprocessasuser.asp [2] http://www.microsoft.com/downloads/details.aspx?familyid=49ae8576-9bb9-4126-9761-ba8011fabf38&displaylang=en -------- Contact -------- Maldin d.o.o. Trzaska cesta 2 1000 Ljubljana - SI tel: +386 (0)590 70 170 fax: +386 (0)590 70 177 gsm: +386 (0)31 816 400 web: www.teamintell.com e-mail: info () teamintell com ----------- Disclaimer ----------- The content of this report is purely informational and meant for educational purposes only. Maldin d.o.o. shall in no event be liable for any damage whatsoever, direct or implied, arising from use or spread of this information. Any use of information in this advisory is entirely at user's own risk. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Acunetix WVS 5 improper file path handling (EoP) edi.strosar (Jun 25)