Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Acunetix WVS 5 improper file path handling (EoP)
From: <edi.strosar () varnostne-novice com>
Date: Mon, 25 Jun 2007 20:35:58 -0400


=========================================================================
TeamIntell Security Advisory TISA2007-02-Public
-------------------------------------------------------------------------
Acunetix WVS 5 improper file path handling
=========================================================================


Release date:    25.06.2007
Severity:        Moderately critical
Impact:          Privilege escalation
Status:          Official patch available
Software:        Acunetix WVS 5
                  Acunetix WVS 4
Tested on:       Microsoft Windows 2000 SP4
                  Microsoft Windows XP SP2
Vendor:          http://www.acunetix.com/
Disclosed by:    Edi Strosar (TeamIntell)


--------
Summary
--------

The way Microsoft Windows handles filenames is well known 
and documented [1]. In situations where the path to 
executable contains white space and is not enclosed in 
quotation marks, it is possible to execute alternate 
application. This attack is commonly referred to as the 
"Program.exe trick".


---------
Analysis
---------

Acunetix Web Vulnerability Scanner (WVS) is an automated 
web application security testing tool. Acunetix WVS 4 and 
WVS 5 do not properly handle file names containing white 
spaces creating a condition where an attacker might be 
able to install arbitrary code as a file 
%SystemDrive%\program.exe. The arbitrary code would 
generally be executed under the privileges of the 
executing user but could also be launched with elevated 
privileges. Acunetix WVS Scheduler Service 
(WvSScheduler.exe) is executed in LocalSystem context and 
thus the vulnerable code will be executed in privileged 
LocalSystem context.


-----------
Limitation
-----------

1.)
Default permissions on Windows XP Professional prevent 
least-privileged users write access to %SystemDrive% and 
thus this attack must involve some form of social 
engineering or need to be combined with another attack to 
first get the arbitrary code installed in the correct 
location.

2.)
Windows xP will alert user about "File name warning" while 
executing %SystemDrive%\program.exe. Attacker might 
circumvent this warning by setting registry key 
"HKCU\Software\Microsoft\Windows\CurrentVersion
\Explorer\DontShowMeThisDialogAgain" value name 
"RogueProgramName" value data "NO". In any case, local 
services are executed before user registry keys, meaning 
that program.exe would be already executed when the 
warning appears.


-----------------
Proof of concept
-----------------

- copy program.exe to %SystemDrive%
- restart the computer
- login as least-privileged user
- use whoami.exe [2] and enumerate user privileges

Tested on Windows XP Professional sP2 and Windows 2000 
Professional SP4.

Download link:
http://www.teamintell.com/advisories/TISA2007-02-Public.zip


---------
Solution
---------

Vendor has released Acunetix WVS Build v5.0.70621 which 
fixes this issue.


-----------
References
-----------

[1] 
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/createprocessasuser.asp
[2] 
http://www.microsoft.com/downloads/details.aspx?familyid=49ae8576-9bb9-4126-9761-ba8011fabf38&displaylang=en


--------
Contact
--------

Maldin d.o.o.
Trzaska cesta 2
1000 Ljubljana - SI

tel: +386 (0)590 70 170
fax: +386 (0)590 70 177
gsm: +386 (0)31 816 400
web: www.teamintell.com
e-mail: info () teamintell com


-----------
Disclaimer
-----------

The content of this report is purely informational and 
meant for educational purposes only. Maldin d.o.o. shall 
in no event be liable for any damage whatsoever, direct or 
implied, arising from use or spread of this information. 
Any use of information in this advisory is entirely at 
user's own risk.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • Acunetix WVS 5 improper file path handling (EoP) edi.strosar (Jun 26)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]