sometimes "knowledge" isn’t a matter of learning more things, it’s a matter of "using" the things you already know, only better
IS THERE ANY SECURE TARGET?
Cyber Security Research since 2002
SECURE TARGET; Researcher in the field of Cyber Crime & Cyber Security
SECURITY ADVISORY
Old Public Domain Security Advisories
Titles
Here are a brief list of our advisories. for detail information please
see below.
Microsoft Windows Huge Text Processing
Instability [October 17, 2004]
PerfectNav Crashes IE [February 25, 2004]
New IE Thread crashes by WU [December 31, 2003]
Microsoft Outlook PST Exposure [August 31, 2003]
Recycle Bin Unavailability of Service [August 04, 2003]
OE DBX Exposure [October 27, 2002]
Vulnerability Disclosure Policy
Effective March 20, 2002, SECURE TARGET will follow a new policy with
respect to the disclosure of vulnerability information. All
vulnerabilities were discovered by me, Kaveh Seyed Mofidi will be kept
private after the initial discovery unless there were not any serious
threats or active exploitation.
Vulnerabilities in Depth
SECURE TARGET (Security Advisory October 17, 2004)
Topic: Microsoft Windows Huge Text Processing Instability
Discovery Date: October 14, 2004
Link to Original Advisory: http://www.securetarget.net/advisory.shtml
External Links: Full-Disclosure
(http://lists.netsys.com/pipermail/full-disclosure/2004-October/027659.html),
BugTraq
(http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0410&L=ntbugtraq&F=P&S=&P=10653),
SICHERHEITSLüCKEN (http://www.scip.ch/cgi-bin/smss/showadv.pl?id=909),
Addict3d
(http://www.addict3d.org/index.php?page=viewarticle&type=security&ID=2316) /
Ls
(http://www.addict3d.org/index.php?page=security&category=7&fromID=100)/Ls
(http://www.addict3d.org/index.php?page=archive&day=20041017), Der Keiler
(http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2004-10/0636.html),
Seifried
(http://lists.seifried.org/pipermail/security/2004-October/005119.html),
NetSys
(http://lists.netsys.com/pipermail/full-disclosure/2004-October/027659.html),
Mail Archive
(http://www.mail-archive.com/full-disclosure@lists.netsys.com/msg24356.html),
SecLists (http://seclists.org/lists/fulldisclosure/2004/Oct/0614.html),
Neohapsis
(http://archives.neohapsis.com/archives/ntbugtraq/2004-q4/0077.html),
Checksum (http://www.checksum.org/mla/11/message/9080.htm), Network Security
(http://www.networksecurityarchive.org/html/NTBugtraq/2004-10/msg00092.html),
Virus (http://lists.virus.org/full-disclosure-0410/msg00589.html), DoddsNet
(http://lists.doddsnet.com/archive/ntbugtraq/Current/msg00180.htm), ReadList
(http://readlist.com/lists/lists.netsys.com/full-disclosure/1/8939.html),
Mega Security (http://www.megasecurity.org/News/News102004.html), Security
Trap (http://www.securitytrap.com/mail/full-disclosure/2004/Oct/0593.html),
Virovvch (http://www.phil.muni.cz/lvt/archiv_vir_akt.html), DevArchives
Affected applications and platforms:
Notepad, NotePad2 and MetaPad (Seems like all Text Processing Apps) /
Microsoft Windows (All Versions)
Introduction:
It is not important, the limitation of opening large text file with
“notepad” or similar products like NotePad2 (http://www.flos-freeware.ch)
and MetaPad (http://liquidninja.com/metapad/); the point is just the way
these tiny text processing apps open and handle large text files (talking
about over the 200MB).
The way they handle huge text files, it is near possible for a fast modern
PC to be completely unstable. This Instability may path to process injection
because you cannot even kill the processes of these apps and they will
remain “up and running” even when you logged off. So, it’s possible for a
unprivileged user to simply hook to the remaining process of a privilege
user and this lead to information disclosure (simply reading the content of
the memory before swapping a large file which happens time after time, based
on the file size) but may even lead to running privileged tasks based on the
app they used for processing text.
Exploit:
It is different to exploit based on the application you choose for text
processing; for windows default notepad.exe, it’ll be some like a huge DoS
but for NotePad2.exe and MetaPad.exe it is possible to doing process
injection (information disclosure and/or running privileged tasks).
Workaround:
The best way to work around this situation is just not to open large text
files in windows! or wait a long time for completion of task.
Tested on:
Microsoft Windows XP SP1/SP2RC2/SP2 on Intel P4 2.4 with 1GB of RAM
Feedback:
Kaveh Mofidi [ Admin (at) SecureTarget [dot] net ]
Head of Secure Target Network
HTTP://SECURETARGET.NET
Secure Target Network (Security Advisory February 25, 2004)
Topic: PerfectNav Crashes IE
Discovery Date: February 24, 2004
Link to Original Advisory: http://www.securetarget.net/advisory.shtml
External: Full-Disclosure
(http://lists.netsys.com/pipermail/full-disclosure/2004-February/017830.html),
BugTraq (http://www.securityfocus.com/bid/9753/), Security Tracker
(http://securitytracker.com/alerts/2004/Feb/1009218.html), xforce
(http://xforce.iss.net/xforce/xfdb/15326), SANS
(http://www.sans.org/newsletters/risk/vol3_9.php)
Affected applications and platforms:
Microsoft Internet Explorer 6 Service Pack 1 and older versions
Introduction:
PerfectNav is designed to redirect your URL typing errors to PerfectNav's
web page. Bundled with the Free Ad Supported version of Kazaa Media Desktop
2.6. Likely to be found in software supplied by eUniverse sites, such as
thunderdownloads.com, myfreecursors.com, cursorzone.com and
mycoolscreen.com. Likely to slow performance of Internet Explorer. Can
download and execute arbitrary code as directed by its controlling server,
as an update feature.
All of us knew about Hijackers/Browser Helper Objects; some of them may
hijack your sessions but do you care crashing your web browser by a single
blink?
When you use PerfectNav it is easy to crash your Internet Explorer
(iexplore.exe) by any malformed URL like any thing you like: ? /? …
Run “iexplore.exe ?” or type “?” in your IE address bar and simply get the
error message:
“An error has occurred in Internet Explorer. Internet Explorer will now
close. If you continue to experience problems, please restart your
computer.”
Exploit:
Easier to exploit than this bug? Just point out any malformed URL on your
target and it will be crashing her/his IE.
Workaround:
The easiest way to work around this vulnerability is just removing
PerfectNav from your computer. For information that may help you prevent
this problem from reoccurring, click on the link below.
http://www.pestpatrol.com/msperfectnavsupport.asp
If the problem persists, please contact eUniverse.com Inc. and alert them of
the problem.
Note: To have PestPatrol automatically detect and remove PerfectNav and its
components from your computer, you have to buy PestPatrol!
Tested on:
Internet Explorer 6 Service Pack 1 (6.0.2800.1106) on Windows XP Service
Pack 1a
Secure Target Network (Security Advisory December 31, 2003)
Topic: New IE Thread crashes by WU
Discovery Date: December 30, 2003
Link to Original Advisory: http://www.securetarget.net/advisory.shtml
External: Full-Disclosure
(http://lists.netsys.com/pipermail/full-disclosure/2003-December/015131.html)
Affected applications and platforms:
Microsoft Internet Explorer 6 Service Pack 1
Introduction:
Any time you open your Windows Update (WU / wupdmgr.exe) and go to “Scan for
Updates”; it takes a couple of minutes (based on your system and Net
performances) for Microsoft scripting tasks to gather information from your
fixing/patching data on your machine.
A security bug exist because when you are in the period which WU scanning
your host, you cannot open any New IE windows from some applications and
opening this new window just takes time, as long as WU ending its scanning,
and it means hanging.
First, it is a security bug because it faces with availability of a
component on a windows box. Second, it happens when you open a new IE window
from these two situations below:
1. Opening a new IE window by clicking on a hyper link in OE.
2. Opening a new IE window by clicking on a hyper link in IE.
Remember that for facing with this issue, you shouldn’t have an old IE
Thread opened from OE or IE before.
Exploit:
This bug may not provide an opportunity to threat a windows box machine with
attacks and exposures but it may cause DoS anyway.
Workaround:
The easiest way to work around this vulnerability is just let WU finishing
its scanning and then work with IE and OE as usual.
Tested on:
Internet Explorer 6 Service Pack 1 (6.0.2800.1106) and Outlook Express
6.00.2800.1123 on Windows XP Service Pack 1
Secure Target Network (Security Advisory August 31, 2003)
Topic: Microsoft Outlook PST Exposure
Discovery Date: August 28, 2003
Link to Original Advisory: http://www.securetarget.net/advisory.shtml
External: Zone-h (http://www.zone-h.org/en/advisories/read/id=2960/) ,
Full-Disclosure
(http://lists.netsys.com/pipermail/full-disclosure/2003-August/009377.html)
Affected applications and platforms:
All versions of Outlook on any Windows platform
Introduction:
everyone work with .pst files, storing and managing his/her Outlook Data
transparently under Microsoft Outlook. A default folder takes care of these
data files at:
%windrive%\Documents and Settings\User Profile\Local Settings\Application
Data\Microsoft\outlook
And all of your data may encrypt and maintain as outlook.pst (or archive.pst
when you just archive your old data).
When you add something to your outlook items (appointments & meetings,
tasks, notes, …), your data file probably increases in size but when you
delete some items (any size, large or small piece of data), the data do lost
from your eyes but usually, does not erase from .pst files.
Exploit:
As you can probably see, this may effect in a wide range of exposure
attacks; no escalation of privileges or any other system compromise directly
happen. So, anybody with physical access to your computer would be the
reader of your Outlook Items (any task, appointment and …) and any private
information there.
By the way, this may lead to a worth situation, when you just restore a
backed up copy of these .pst files and try to recover your lost data, but
there is something different in backups, because you didn’t copy a refreshed
one.
Workaround:
the easiest way to work around this vulnerability is physical security
countermeasures but for your backups, try to “compact” items before backing
up:
1. Fileàfolderàproperties of “your desired folder with data files”àGeneral
tabàAdvancedàCompact Now
2. FileàData File ManagementàsettingsàCompact Now
Tested on:
Outlook 2000 SP3 (9.0.0.6627) on Windows 2000 SP4
Outlook 2002 (10.2627.2625) on Windows XP Professional SP1
Feedback:
Kaveh Mofidi ( Admin (at) SecureTarget [dot] net )
SECURE TARGET, Cyber Security Research
HTTP://SECURETARGET.NET
Secure Target Network (Security Advisory August 04, 2003)
Topic: Recycle Bin Unavailability of Service
Discovery date: July 24, 2003
External: Neohapsis
(http://archives.neohapsis.com/archives/vulndiscuss/2003-q3/0029.html),
Full-Disclosure
(http://www.blacksheepnetworks.com/security/security/fulldisc/4966.html),
Security Corporation
(http://www.security-corporation.com/articles-20030805-001.html)
Affected applications and platforms:
Windows XP Service Pack 1
Not affected applications and platforms:
Windows 2000 Service Pack 3 (and may others)
Introduction:
I’m sure this is related to security issues because it gets in touch with
availability. So, you may want to explore some places with your “Windows
Explorer” or “My Computer” from else where. That’s make no sense to you but
ever doing exploring from “Recycle Bin” to anywhere else?
You can’t do this and this is a kind of Unavailability!
When you clicked on “Recycle Bin” on any address bar, the word become
highlighted and when you trying to type a path, the words and phrases you
typed, turn to “Recycle Bin”. This way, you cannot change MANUALLY to any
desired location from “Recycle Bin”.
Exploit:
There’s no exploit for this misbehavior but you would be aware of
unavailability this situation brings to your desktop because some day may
you have not any mouse.
Workaround:
This involved with Windows XP GUI behavior and may fix in future but if you
want workaround that, just copy and paste you desire path and press “ENTER”
as fast as possible.
Tested on:
Windows XP Service Pack 1
Windows 2000 Service Pack 3
Feedback:
Kaveh Mofidi ( Admin (at) SecureTarget [dot] net )
SECURE TARGET, Cyber Security Research
HTTP://SECURETARGET.NET
Secure Target Network (Security Advisory October 27, 2002)
Topic: OE DBX Exposure
Discovery date: October 02, 2002
Discovered by: Kaveh Mofidi
External: Security Tracker
(http://www.securitytracker.com/alerts/2002/Oct/1005489.html) , Bugtraq
(http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0210&L=ntbugtraq&F=P&S=&P=5732),
Secunia (http://secunia.com/advisories/7414/)
Affected applications and platforms:
All versions of Outlook Express on any Windows platform
Introduction
You already worked with .dbx files, storing and managing your messages under
OE. A default folder takes care of them:
%windrive%\Documents and Settings\User Profile\Local Settings\Application
Data\Identities\{Class ID}\Microsoft\Outlook Express
All of your messages will give named by their folders and all folders are
defined at Folders.dbx file.
When you delete your messages, they move on Deleted Items.dbx (Deleted Items
folder), so when you exit from OE, they must gone but this isn't happening.
Even when you choose "Empty messages from the 'Deleted Items' folder on
exit" they remain in both yourfolder.dbx and Deleted Items.dbx files.
Exploit
As you can probably see, this may effect in a wide range of exposure
attacks; no escalation of privileges or any other system compromise directly
happen. So, anybody with physical access to your computer would be the
reader of your email messages and any private information there.
Workaround
Manipulating messages and folders containing them may change the way OE
refresh its operations but also may lead to leaving more and more DBX files
exposed. The only solution to this issue is to deleting the whole target
folder.
Tested on
Outlook Express 6.0.2600.0000 on Windows XP
Outlook Express 6.0.2600.0000 and 6.0.2800.1106 on Windows 2000 SP3
Feedback
Kaveh Mofidi ( Admin (at) SecureTarget [dot] net )
SECURE TARGET, Cyber Security Research
HTTP://SECURETARGET.NET