<<< Date Index >>>     <<< Thread Index >>>

Re: RadAsm <=2.2.1.5 Local Command Execution



Hi ,
    I don't think this is a vulnerability. If this is a vulnerability,
Makefile is also a vulnerability. Do you think so?
   Regards


2008/12/8 <xhakerman2006@xxxxxxxxx>
>
> ------------------------------------------------------------------
> vulnerability discovered by DATA_SNIPER.
> bug discovred in 25/11/2008.
> infected version:All Version
> greetz go to:www.at4re.com(Arab Team 4 Reverse Engineering),arab4services.net
> Critical: Highly critical
> Impact:Command Execution
> ------------------------------------------------------------------
> this is litel POC that can execute arabitrary command in victime machine.
> in unexpected way the attacker can put in the project file ".rap file" 
> command instead of the linker path or  Macro Assembler "ML.exe" path.
> project file look like this.
> " some data has been cuted for making it readable"
> -------------------------------------
> project file structure
> [Project]
> Assembler=masm
> Type=Win32 App
> ......datat
> [Files]
> 1=file.Asm
> .....data
> [MakeFiles]
> 5=CRC Check.exe
> [MakeDef]
> Menu=1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0
> 1=4,O,$B\RC.EXE /v,1 <==Command Execution by replacing the original file path 
> with the command
> 2=3,O,$B\ML.EXE /c /coff /Cp /nologo /I"$I",2  <==Command Execution by 
> replacing the original file path with the command
> 3=5,O,$B\LINK.EXE /SUBSYSTEM:WINDOWS /RELEASE /VERSION:4.0 /LIBPATH:"$L" 
> /OUT:"$5",3,4 <==Command Execution by replacing the original file path with 
> the command
> 4=0,0,,5
> 5=rsrc.obj,O,$B\CVTRES.EXE,rsrc.res <==Command Execution by replacing the 
> original file path with the command
> 7=0,0,"$E\OllyDbg",5
> 6=*.obj,O,$B\ML.EXE /c /coff /Cp /nologo /I"$I",*.asm
> 11=4,O,$B\RC.EXE /v,1   <==Command Execution by replacing the original file 
> path with the command
> 12=3,O,$B\ML.EXE /c /coff /Cp /Zi /nologo /I"$I",2   <==Command Execution by 
> replacing the original file path with the command
> 13=5,O,$B\LINK.EXE /SUBSYSTEM:WINDOWS /DEBUG /VERSION:4.0 /LIBPATH:"$L" 
> /OUT:"$5",3,4 <==Command Execution by replacing the original file path with 
> the command
> data.....
> [Resource]
> data.....and more data.
> ----------------------------------------------------------------------
> as you see " <==Command Execution breplacing the original file name with the 
> command" this mean, that type of data in the project it's  exploited as 
> command execution by malicious people.
> and when the user try to compile the project will face the issue of executing 
> bad command in his operating system.