Insecure Auto-Update and File execution

2006-05-15 / 2006-05-16
Credit: Thierry Zoller
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2006-2324
CWE: CWE-Other


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

_______________________________________________________________________ Zango Adware - Insecure Auto-Update and File execution _______________________________________________________________________ Reference : TZO-042006-Zango Author : Thierry Zoller Advisory : http://secdev.zoller.lu/research/zango.htm Shameless Plug : I would like to take the opportunity to invite you to the Security Conference known as "Hack.lu 2006" in the Grand-Duchy of Luxembourg. More information at http://www.hack.lu ** See you there :) I. Background ~~~~~~~~~~~~~ http://www.zangocash.com "ZangoCash (formerly LOUDcash) is recognized around the world as one of the best pay-per-install affiliate programs on the Internet. ZangoCash is a subsidiary of 180solutions which also includes Zango and MetricsDirect . Every day, 7,500-10,000 ZangoCash affiliates distribute our software to users who are then connected with more than 6,000 MetricsDirect advertisers." II. Description ~~~~~~~~~~~~~~~ After the acknowledgement of an License Agreement, during Startup, the bundled EXE contacts several servers and downloads the required Adware components. The downloaded components are not checked for integrity or authenticity and are executed as soon as they are downloaded. The following procedures are exploitable : 1. Initial Install 2. Auto-Update function The condition is exploitable in the following scenarios (maybe you know more?) : 1. You have legitimate control over the DNS server 2. You have compromised a DNS server 3. You forge a cache poisoning attack against a vulnerable DNS server 4. You have access to the machine and change the HOST file Redirecting the hostname "static.zangocash.com" to an IP address under your Control and creating the respective V-host allows you to install any type of executable on the machine where zango is being installed or currently is installed, in other words: You could potentially compromise an internal network of a company if Zango is installed on workstations (or servers - i've seen that) and one of the 4 aforementioned conditions are met. See http://secdev.zoller.lu/research/zango.htm for more information Why is this an Issue ? ~~~~~~~~~~~~~~~~~~~~~~ Especially the auto update function is a problem, imagine a DNS server not a split setup) is compromised or cache-poisened, every workstation with zango installed inside the company can be immediately compromised as the Workstation tries to automaticaly download an update of Zango and fails to realise that instead of Zango it downloads and executes a Rootkit/Backdoor/"put anything here". III. Summary ~~~~~~~~~~~~~~~ Vendor contact : 01/02/2006 Vendor Response : 05/02/2006 Vendor Response : No official statement, first I was asked to remove the webpage, then I was allowed to keep it online, I was not given permission to disclose the conversations that took place. I will respect the rights of 0180 Solutions. Reference : TZO-042006-Zango Author : Thierry Zoller WWW : http://secdev.zoller.lu


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top