Posts tagged: Vulnerability

Vista not spared from *.ani zero-day

By , March 30, 2007 11:12 pm

Microsoft had issued a Security Advisory (935423) addressing the threat of the Animated Cursor handling.

This vulnerability can be exploited to execute arbitrary codes to create backdoors and attempt to download malwares into the infected systems.

Windows Vista Vulnerable to StickyKeys Backdoor

By , March 20, 2007 5:02 pm

This vulnerability was discovered by a McAfee researcher, Vinoo Thomas. According to his blog, the StickyKeys can be modified to launch an unauthorised software when triggered.

StickyKeys is a accessibility feature in modern Wndows system to aid disabled users. To trigger, the user needs to hit the modifier key such as ‘Shift’ for five times and once triggered, the modifer keys would “stick”, as though it had been pressed. For example if ‘Shift’ is the modifier key, when triggered, you only need to hit ‘F1’ key inorder to execute ‘Shift + F1’. The StickyKeys can be trigger at the login page, thus implying that no authentication is done prior to triggering the StickyKeys.

This vulnerability involves modifying the file “c:/windows/system32/sethc.exe” that launches StickyKeys. Windows Vista does not do integrity check on the file before executing it, but the file is protected by the Windows file protection. Disabling the file protection is however easy by using the following command.

takeown /f c:\windows\system32\sethc.exe
cacls c:\windows\system32\sethc.exe /G administrator:F

It is noted that using this vulnerability, one can disable the file protection, modify “c:/windows/system32/sethc.exe” such that “cmd.exe” is launched instead. So, the attacker can trigger the StickyKeys at logon to launch “cmd.exe” then proceed to add himself as an administrator by using the following command.

net user USERNAME /add
net localgroup administrators USERNAME

However, the catch is that in order to disable the file protection, one needs to have administrator rights. It doesn’t make sense of performing a long chain of actions to create an administrator account when the attacker already has administrator access to the system.

Vista Speech Command, a possible exploit

By , February 4, 2007 1:51 pm

Days after Vista was launched, some users had been discussing about the possibility exploit on the Speech Command feature. The speech command is one of Vista new feature. It allows user to speak thru the microphone, and the OS will execute the command given, that is, if the voice command is a valid command.

The exploit is not due to a bug in the Speech Recognition system, but rather the design of the system. It works by sending a victim a malicious audio file that contains voice commands, then by tricking the victim to play the audio file, the Speech Command will pick up the command thru the microphone (where the audio file was played out thru the speakers) and execute whatever the command is. For example, the victim received an audio file that has “shutdown” recorded in it. Unknowingly, the victim played the audio file and the Speech Command will pick it up and execute the “shutdown” command.

However for this exploit to work, the Speech Command must be enabled and the malicious audio file had to be played. Fortunately, the Speech Command is by default disabled.

Bounty for Windows Vista & Internet Explorer 7 Vulnerabilities

By , January 11, 2007 4:36 pm

iDefense Labs (part of the Verisign company) has just issued a new challenge to the white and black hats, to discover security vulnerabilities within the mentioned products, which can be remotely exploited. iDefense will be awarding US$8000 for each vulnerabitity submitted, to a maximum of six payments of $8000. On top of the $8000, $2000-$4000 will also be awarded for each working exploit codes that exploits the submitted vulneralbility.


Panorama Theme by Themocracy