Re: gDoc Fusion version 2.5.1 <= Insecure DLL Hijacking Vulnerability (wintab32.dll, ssleay32.dll)

[Zach C <fxchip () gmail com>]

tl;dr everything is vulnerable to dll hijacking zomg we are all going to be pwned.

Ye gods these are irritating. I suppose I should filter them but damn.

On Sep 12, 2010, at 3:53 PM, YGN Ethical Hacker Group <lists () yehg net> wrote:

> 1. OVERVIEW
>
> The gDoc Fusion application is vulnerable to Insecure DLL Hijacking
> Vulnerability. Similar terms that describe this vulnerability have
> been come up with Remote Binary Planting, and Insecure DLL
> Loading/Injection/Hijacking/Preloading.
>
>
> 2. PRODUCT DESCRIPTION
>
> gDoc Fusion makes it simple and quick to compile a single document
> from multiple different PC files. Just drag the
> documents--presentations, spreadsheets, written documents, images,
> PDF, and more than 200 other file types--into Fusion; flip through
> them quickly with FlickView browser; pick the pages you want and
> arrange them in any order you like; if you wish, add comments, make
> small text edits, or redact information; and Save the finished
> documents in either Word or PDF format. You don't have to do any
> formatting or conversion--gDoc Fusion handles it all for you. Also
> includes free ultilty for multi-format document viewing and PDF
> creation.
>
>
> 3. VULNERABILITY DESCRIPTION
>
> The gDoc Fusion application passes an insufficiently qualified path in
> loading its external libraries -
> "wintab32.dll, ssleay32.dll" when a user opens its associated file
> with extensions - dwfx, jtx, pdf, xps .
>
>
> 4. VERSIONS AFFECTED
>
> 2.5.1 and probably lower versions
>
>
> 5. PROOF-OF-CONCEPT/EXPLOIT
>
> http://core.yehg.net/lab/pr0js/advisories/dll_hijacking/gdocfusion/poc/movie/gdocfusion_2.5.1-dll-hijacking.mp4
> http://core.yehg.net/lab/pr0js/advisories/dll_hijacking/gdocfusion/poc/gdocfusion_2.5.1-dll-hijacking-poc.zip
>
> Tested Platform: Windows XP Service Pack 3 (Fresh Windows)
>
>
> 6. IMPACT
>
> Attackers can trigger a successful exploit against a victim user in a
> number of ways such as placing a malicious external
> library file made as hidden attribute and a seemingly interesting file
> in network shares, usb drives, file sharing networks,
> social networks, ..etc    
>
>
> 7. SOLUTION
>
> Fixed version from the vendor has not been released yet.
> However, it is suggested that the following workarounds be deployed by
> users to protect increasing mass exploitation of this
> vulnerability class:
> - Disable loading of libraries from WebDAV and remote network shares
> - Disable the WebClient service
> Please see workaround solution links in References section.
>
>
> 8. VENDOR
>
> Global Graphics Software Ltd.
> http://www.globalgraphics.com/en/gdoc/gdoc-fusion
>
>
> 9. CREDIT
>
> This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
> Ethical Hacker Group, Myanmar.
>
>
> 10. DISCLOSURE TIME-LINE
>
> 09-13-2010: notified vendor
> 09-13-2010: vulnerability disclosed
>
>
> 11. REFERENCES
>
> Original Advisory URL:
> http://core.yehg.net/lab/pr0js/advisories/dll_hijacking/[gdocfusion]_2.5.1_insecure_dll_hijacking
> Workaround Solution: http://support.microsoft.com/kb/2264107
> Workaround Solution:
> https://www.microsoft.com/technet/security/advisory/2269637.mspx#EGF
> Developer Solution:
> http://msdn.microsoft.com/en-us/library/ff919712%28v=VS.85%29.aspx
> Unofficial DLL Hijacking List:
> http://www.corelan.be:8800/index.php/2010/08/25/dll-hijacking-kb-2269637-the-unofficial-list/
> Testing for DLL Hijacking:
> http://core.yehg.net/lab/pr0js/view.php/when_testing_for_dll_hijacking.txt
>
> #yehg [09-13-2010]
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/