--0-1750842756-1122367970=:45124 Content-Type: text/plain; charset=euc-kr Content-Transfer-Encoding: 8bit Dear F/D Mailling -----------[Cut Cut]-------------------------------- Title: HAURI live update. Arbitrary remote file download and execute vulnerability Discoverer: Original discoverer Neo Original exploit improver PARK, GYU TAE (saintlinu@null2root.org) Advisory No.: NRVA05-03 Critical: High Critical Impact: Arbitrary file download from Internet and executable Where: From remote Operating System: Windows Only Solution: Patched Affected S/W: http://update.nprotect.net/newlivecall/engine/livecall.cab#version=2004,6,25,1 by Neo http://fx.HAURI.net/HProduct/livesuite/XXXXXXX/CLIENT/LiveSuite/web/HLiveRobotWeb.cab#version=2005,6,21,1 by Saintlinu Notice: 06. 29. 2005 initiated 06. 30. 2005 2ND No response 07. 05. 2005 Vendor responded and will be patched until 07. 22. 2005 07. 21. 2005 patched 07. 26. 2005 Disclosure vulnerability Description: HAURI is an anti virus vendor in Korea The livesuite offers services to users scanning and treating virus, worm, hack tools and so on from Internet See following detail describe: [The first half] Neo discovered vulnerability at http://update.nprotect.net/newlivecall/livecall.html HAURI never check parameters When updates from Internet update server also HAURI never check file's checksum or hash value. He modified liveup.haz file, it's live update configuration file that file just compressed by ZIP compressor. if HAURI user access phishing page such as can use BBS that has vulnerability such as cross site script then evil software downloaded without any restrict evil software like cmd.exe if exist then HAURI overwrites. [The latter half] As you seen above. Saintlinu improved Neo's exploit. Saintlinu found HAURI LIVE UPDATE program at XXX Commercial companies in Korea HAURI checked files in liveup.haz but that's all. File's checksum is date and time when it made therefore we can exploit that vulnerability. Technical Describe: NOT INCLUDED HERE -----------[Cut Cut]-------------------------------- I higher respect Neo Special thanks for My best group Null@root. PS. I'm very sorry for poor my konglish --------------------------------- 무료 1GB용량!, 더이상 용량 고민없는 야후! 메일을 써보세요. 대한민국 블로그가 모인 곳! 피플링에서 네이버, 이글루스를 만나다 야후! 모바일 최신 휴대폰 정보, 벨소리, 캐릭터, 문자메세지 --0-1750842756-1122367970=:45124 Content-Type: text/html; charset=euc-kr Content-Transfer-Encoding: 8bit <DIV>Dear F/D Mailling</DIV> <DIV>-----------[Cut Cut]--------------------------------</DIV> <DIV>Title: HAURI live update. Arbitrary remote file download and execute vulnerability</DIV> <DIV>Discoverer: Original discoverer Neo<BR> Original exploit improver PARK, GYU TAE (<A href="mailto:saintlinu@null2root.org">saintlinu@null2root.org</A>)</DIV> <DIV>Advisory No.: NRVA05-03</DIV> <DIV>Critical: High Critical</DIV> <DIV>Impact: Arbitrary file download from Internet and executable</DIV> <DIV>Where: From remote</DIV> <DIV>Operating System: Windows Only</DIV> <DIV>Solution: Patched</DIV> <DIV>Affected S/W: <A href="http://update.nprotect.net/newlivecall/engine/livecall.cab#version=2004,6,25,1">http://update.nprotect.net/newlivecall/engine/livecall.cab#version=2004,6,25,1</A> by Neo<BR> <A href="http://fx.HAURI.net/HProduct/livesuite/XXXXXXX/CLIENT/LiveSuite/web/HLiveRobotWeb.cab#version=2005,6,21,1">http://fx.HAURI.net/HProduct/livesuite/XXXXXXX/CLIENT/LiveSuite/web/HLiveRobotWeb.cab#version=2005,6,21,1</A> by Saintlinu</DIV> <DIV>Notice: 06. 29. 2005 initiated<BR> 06. 30. 2005 2ND No response<BR> 07. 05. 2005 Vendor responded and will be patched until 07. 22. 2005<BR> 07. 21. 2005 patched <BR> 07. 26. 2005 Disclosure vulnerability </DIV> <DIV>Description: </DIV> <DIV>HAURI is an anti virus vendor in Korea</DIV> <DIV>The livesuite offers services to users scanning and treating virus, worm, hack tools and so on from Internet</DIV> <DIV>See following detail describe:</DIV> <DIV>[The first half]</DIV> <DIV>Neo discovered vulnerability at <A href="http://update.nprotect.net/newlivecall/livecall.html">http://update.nprotect.net/newlivecall/livecall.html</A><BR>HAURI never check parameters When updates from Internet update server<BR>also HAURI never check file's checksum or hash value.</DIV> <DIV>He modified liveup.haz file, it's live update configuration file<BR>that file just compressed by ZIP compressor.</DIV> <DIV>if HAURI user access phishing page such as can use BBS that has vulnerability such as cross site script <BR>then evil software downloaded without any restrict</DIV> <DIV>evil software like cmd.exe if exist then HAURI overwrites.</DIV> <DIV>[The latter half]</DIV> <DIV>As you seen above. Saintlinu improved Neo's exploit. </DIV> <DIV>Saintlinu found HAURI LIVE UPDATE program at XXX Commercial companies in Korea</DIV> <DIV>HAURI checked files in liveup.haz but that's all.<BR>File's checksum is date and time when it made</DIV> <DIV>therefore we can exploit that vulnerability. </DIV> <DIV>Technical Describe:</DIV> <DIV>NOT INCLUDED HERE</DIV> <DIV>-----------[Cut Cut]--------------------------------</DIV> <DIV>I higher respect Neo</DIV> <DIV>Special thanks for My best group <A href="mailto:Null@root">Null@root</A>.</DIV> <DIV>PS. I'm very sorry for poor my konglish</DIV><p> <hr size=1> <style type='text/css'> <!-- a.ftag:link {text-decoration:none; color:2A47AA} a.ftag:visited {text-decoration:none; color:2A47AA} a.ftag:hover {text-decoration:underline; color:2A47AA} a.ftag:active {text-decoration:none; color:2A47AA} .ftag {font-family:굴림,돋움,arial; font-size: 80%; line-height: 140%; font-size:9pt; color:#666666} --> </style> <table width="100%" border="0" cellspacing="0" cellpadding="0"> <tr> <td style="padding:10 0 0 0" class=ftag> <img src="http://img.yahoo.co.kr/mail/footer/ic_mail.gif" width="21" height="11"> 무료 1GB용량!, 더이상 용량 고민없는 <b><a href="http://mail.yahoo.co.kr" class=ftag>야후! 메일</a></b>을 써보세요. </td> </tr> <tr> <td width="50%" height="5"> </td> </tr> </table> <table width="617" border="0" cellspacing="0" cellpadding="0"> <tr> <td style="border-left:1px solid #CCCCCC;border-right:1px solid #CCCCCC;border-top:1px solid #CCCCCC;border-bottom:1px solid #CCCCCC;padding:8 8 8 8"> <table width="100%" border="0" cellspacing="0" cellpadding="0"> <tr> <td> <table width="100%" border="0" cellspacing="0" cellpadding="0"> <tr> <td width="42" valign="top"> <a href="http://us.rd.yahoo.com/mail_kr/taglines/mobile/*http://kr.ring.yahoo.com"><img src="http://img.yahoo.co.kr/ring/event/peoplering_footer.gif" width="32" height="32" border="0"></a> </td> <td valign="top" class=ftag> <b><a href="http://us.rd.yahoo.com/mail_kr/taglines/mobile/*http://kr.ring.yahoo.com" class=ftag>대한민국 블로그가 모인 곳!</a></b><br> 피플링에서 네이버, 이글루스를 만나다 </td> </tr> </table> </td> <td width="10"></td> <td width="1" background="http://img.yahoo.co.kr/mail/footer/bg_dot01.gif"></td> <td width="10"></td> <td> <table width="100%" border="0" cellspacing="0" cellpadding="0"> <tr> <td width="42" valign="top"> <a href="http://us.rd.yahoo.com/mail_kr/taglines/peoplering/*http://kr.mobile.yahoo.com" class=ftag><img src="http://img.yahoo.co.kr/mail/footer/ic_mobile.gif" width="32" height="32" border="0"></a> </td> <td valign="top" class=ftag> <b><a href="http://us.rd.yahoo.com/mail_kr/taglines/peoplering/*http://kr.mobile.yahoo.com" class=ftag>야후! 모바일</a></b><br> 최신 휴대폰 정보, 벨소리, 캐릭터, 문자메세지 </td> </tr> </table> </td> </tr> </table> </td> </tr> </table> <img src='http://kr.recptproxy.mail.yahoo.com/updaterc?mid=47r3ozEsbZ_Fauyrs8xnp6A--&extra=0' width=0 height=0> --0-1750842756-1122367970=:45124--