Title: HAURI live update. Arbitrary remote file download and execute vulnerability
Discoverer: Original discoverer Neo
Original exploit improver PARK, GYU TAE (saintlinu (at) null2root (dot) org [email concealed])
Advisory No.: NRVA05-03
Critical: High Critical
Impact: Arbitrary file download from Internet and executable
Where: From remote
Operating System: Windows Only
Solution: Patched
Affected S/W: http://update.nprotect.net/newlivecall/engine/livecall.cab#version=2004,
6,25,1 by Neo
http://fx.HAURI.net/HProduct/livesuite/XXXXXXX/CLIENT/LiveSuite/web/HLiv
eRobotWeb.cab#version=2005,6,21,1 by Saintlinu
Notice: 06. 29. 2005 initiated
06. 30. 2005 2ND No response
07. 05. 2005 Vendor responded and will be patched until 07. 22. 2005
07. 21. 2005 patched
07. 26. 2005 Disclosure vulnerability
Description:
HAURI is an anti virus vendor in Korea
The livesuite offers services to users scanning and treating virus, worm, hack tools and so on from Internet
See following detail describe:
[The first half]
Neo discovered vulnerability at http://update.nprotect.net/newlivecall/livecall.html
HAURI never check parameters When updates from Internet update server
also HAURI never check file's checksum or hash value.
He modified liveup.haz file, it's live update configuration file
that file just compressed by ZIP compressor.
if HAURI user access phishing page such as can use BBS that has vulnerability such as cross site script
then evil software downloaded without any restrict
evil software like cmd.exe if exist then HAURI overwrites.
[The latter half]
As you seen above. Saintlinu improved Neo's exploit.
Saintlinu found HAURI LIVE UPDATE program at XXX Commercial companies in Korea
-----------[Cut Cut]--------------------------------
Title: HAURI live update. Arbitrary remote file download and execute vulnerability
Discoverer: Original discoverer Neo
Original exploit improver PARK, GYU TAE (saintlinu (at) null2root (dot) org [email concealed])
Advisory No.: NRVA05-03
Critical: High Critical
Impact: Arbitrary file download from Internet and executable
Where: From remote
Operating System: Windows Only
Solution: Patched
Affected S/W: http://update.nprotect.net/newlivecall/engine/livecall.cab#version=2004,
6,25,1 by Neo
http://fx.HAURI.net/HProduct/livesuite/XXXXXXX/CLIENT/LiveSuite/web/HLiv
eRobotWeb.cab#version=2005,6,21,1 by Saintlinu
Notice: 06. 29. 2005 initiated
06. 30. 2005 2ND No response
07. 05. 2005 Vendor responded and will be patched until 07. 22. 2005
07. 21. 2005 patched
07. 26. 2005 Disclosure vulnerability
Description:
HAURI is an anti virus vendor in Korea
The livesuite offers services to users scanning and treating virus, worm, hack tools and so on from Internet
See following detail describe:
[The first half]
Neo discovered vulnerability at http://update.nprotect.net/newlivecall/livecall.html
HAURI never check parameters When updates from Internet update server
also HAURI never check file's checksum or hash value.
He modified liveup.haz file, it's live update configuration file
that file just compressed by ZIP compressor.
if HAURI user access phishing page such as can use BBS that has vulnerability such as cross site script
then evil software downloaded without any restrict
evil software like cmd.exe if exist then HAURI overwrites.
[The latter half]
As you seen above. Saintlinu improved Neo's exploit.
Saintlinu found HAURI LIVE UPDATE program at XXX Commercial companies in Korea
HAURI checked files in liveup.haz but that's all.
File's checksum is date and time when it made
therefore we can exploit that vulnerability.
Technical Describe:
NOT INCLUDED HERE
-----------[Cut Cut]--------------------------------
I higher respect Neo
Special thanks for My best group Null@root.
PS. I'm very sorry for poor my konglish
[ reply ]