Bug: Insecure Auto-Update and File execution ( Ascii Version )

Search:
WLB2

Insecure Auto-Update and File execution

Published
Credit
Risk
2006.05.16
Thierry Zoller
Medium
CWE
CVE
Local
Remote
N/A
CVE-2006-2324
No
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
10/10
10/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete

_______________________________________________________________________

Zango Adware - Insecure Auto-Update and File execution
_______________________________________________________________________

Reference : TZO-042006-Zango
Author : Thierry Zoller
Advisory : http://secdev.zoller.lu/research/zango.htm

Shameless Plug :
I would like to take the opportunity to invite you to the
Security Conference known as "Hack.lu 2006" in the Grand-Duchy
of Luxembourg. More information at http://www.hack.lu
** See you there :)

I. Background
~~~~~~~~~~~~~

http://www.zangocash.com

"ZangoCash (formerly LOUDcash) is recognized around the world as one of
the best pay-per-install affiliate programs on the Internet. ZangoCash
is a subsidiary of 180solutions which also includes Zango and
MetricsDirect . Every day, 7,500-10,000 ZangoCash affiliates distribute
our software to users who are then connected with more than 6,000
MetricsDirect advertisers."

II. Description
~~~~~~~~~~~~~~~

After the acknowledgement of an License Agreement, during Startup, the
bundled EXE contacts several servers and downloads the required Adware
components. The downloaded components are not checked for integrity
or authenticity and are executed as soon as they are downloaded.

The following procedures are exploitable :

1. Initial Install
2. Auto-Update function

The condition is exploitable in the following scenarios (maybe you
know more?) :

1. You have legitimate control over the DNS server
2. You have compromised a DNS server
3. You forge a cache poisoning attack against a vulnerable DNS server
4. You have access to the machine and change the HOST file

Redirecting the hostname "static.zangocash.com" to an IP address under
your Control and creating the respective V-host allows you to install
any type of executable on the machine where zango is being installed
or currently is installed, in other words: You could potentially
compromise an internal network of a company if Zango is installed
on workstations (or servers - i've seen that) and one of the 4
aforementioned conditions are met.

See http://secdev.zoller.lu/research/zango.htm for more information

Why is this an Issue ?
~~~~~~~~~~~~~~~~~~~~~~
Especially the auto update function is a problem, imagine a DNS server
not a split setup) is compromised or cache-poisened, every workstation
with zango installed inside the company can be immediately compromised
as the Workstation tries to automaticaly download an update of Zango
and fails to realise that instead of Zango it downloads and executes
a Rootkit/Backdoor/"put anything here".

III. Summary
~~~~~~~~~~~~~~~
Vendor contact : 01/02/2006
Vendor Response : 05/02/2006

Vendor Response :
No official statement, first I was asked to remove the webpage,
then I was allowed to keep it online, I was not given permission
to disclose the conversations that took place. I will respect
the rights of 0180 Solutions.

Reference : TZO-042006-Zango
Author : Thierry Zoller
WWW : http://secdev.zoller.lu

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version