[TZO-042006] Insecure Auto-Update and File execution May 09 2006 10:15PM
Thierry Zoller (Thierry Zoller lu)

Zango Adware - Insecure Auto-Update and File execution

Reference : TZO-042006-Zango
Author : Thierry Zoller
Advisory : http://secdev.zoller.lu/research/zango.htm

Shameless Plug :
I would like to take the opportunity to invite you to the
Security Conference known as "Hack.lu 2006" in the Grand-Duchy
of Luxembourg. More information at http://www.hack.lu
** See you there :)

I. Background


"ZangoCash (formerly LOUDcash) is recognized around the world as one of
the best pay-per-install affiliate programs on the Internet. ZangoCash
is a subsidiary of 180solutions which also includes Zango and
MetricsDirect . Every day, 7,500-10,000 ZangoCash affiliates distribute
our software to users who are then connected with more than 6,000
MetricsDirect advertisers."

II. Description

After the acknowledgement of an License Agreement, during Startup, the
bundled EXE contacts several servers and downloads the required Adware
components. The downloaded components are not checked for integrity
or authenticity and are executed as soon as they are downloaded.

The following procedures are exploitable :

1. Initial Install
2. Auto-Update function

The condition is exploitable in the following scenarios (maybe you
know more?) :

1. You have legitimate control over the DNS server
2. You have compromised a DNS server
3. You forge a cache poisoning attack against a vulnerable DNS server
4. You have access to the machine and change the HOST file

Redirecting the hostname "static.zangocash.com" to an IP address under
your Control and creating the respective V-host allows you to install
any type of executable on the machine where zango is being installed
or currently is installed, in other words: You could potentially
compromise an internal network of a company if Zango is installed
on workstations (or servers - i've seen that) and one of the 4
aforementioned conditions are met.

See http://secdev.zoller.lu/research/zango.htm for more information

Why is this an Issue ?
Especially the auto update function is a problem, imagine a DNS server
not a split setup) is compromised or cache-poisened, every workstation
with zango installed inside the company can be immediately compromised
as the Workstation tries to automaticaly download an update of Zango
and fails to realise that instead of Zango it downloads and executes
a Rootkit/Backdoor/"put anything here".

III. Summary
Vendor contact : 01/02/2006
Vendor Response : 05/02/2006

Vendor Response :
No official statement, first I was asked to remove the webpage,
then I was allowed to keep it online, I was not given permission
to disclose the conversations that took place. I will respect
the rights of 0180 Solutions.

Reference : TZO-042006-Zango
Author : Thierry Zoller
WWW : http://secdev.zoller.lu

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus