Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2003.0460 -- Core Security Technologies Advisory NetMeeting Directory Traversal Vulnerability 03 July 2003 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Windows NetMeeting Publisher: Core Security Technologies Operating System: Windows Impact: Execute Arbitrary Code/Commands Create Arbitrary Files Access Required: Remote - --------------------------BEGIN INCLUDED TEXT-------------------- Core Security Technologies Advisory http://www.coresecurity.com NetMeeting Directory Traversal Vulnerability Date Published: 2003-07-02 Last Update: 2003-07-02 Advisory ID: CORE-2003-0305-04 Bugtraq ID: 7931 CVE Name: None currently assigned. Title: NetMeeting Directory Traversal Vulnerability Class: Input validation error Remotely Exploitable: Yes Locally Exploitable: No Advisory URL: http://www.coresecurity.com/common/showdoc.php?idx=352&idxseccion=10 Vendors contacted: - Microsoft . Core Notification: 2003-05-21 . Notification acknowledged by Microsoft: 2003-05-21 . Issue fixed in Windows 2000 SP4: 2003-06-26 Release Mode: COORDINATED RELEASE *Vulnerability Description:* Windows NetMeeting is a popular application used to hold audio and video conferences between a group of persons. One of its features is "File Transfer" which lets you send one or more files in the background during a NetMeeting conference. A directory traversal vulnerability was found in NetMeeting when doing File Transfers. An attacker can use filenames containing "..\..\" when doing a file transfer, and in this manner, create a file in any place of the victim's filesystem, escaping the directory where NetMeeting usually stores incoming files (e.g. C:\Program Files\ Received\Received Files). This makes it possible to force the execution of arbitrary code on vulnerable systems. *Vulnerable Packages:* NetMeeting version 3.01 (4.4.3385). Other versions may also be vulnerable. *Solution/Vendor Information/Workaround:* A fix for this issue is included in Windows 2000 SP4 and Windows XP SP1 available from: Windows 2000 Service Pack 4 http://www.microsoft.com/Windows2000/downloads/servicepacks/sp4/ Windows XP (Professional and Home edition) Service Pack 1 http://www.microsoft.com/WindowsXP/pro/downloads/servicepacks/sp1/ Windows Server 2003 does not ship with a vulnerable version of NetMeeting. *Credits:* This vulnerability was found by Hernán Ochoa, Gustavo Ajzenman, Javier Garcia Di Palma and Pablo Rubinstein from Core Security Technologies during Bugweek 2003 (March 3-7, 2003). *Technical Description - Exploit/Concept Code:* We have found a directory traversal vulnerability in NetMeeting when doing File Transfers. An attacker can use filenames containing "..\..\" when doing a file transfer, and in this manner, create a file in any place of the victim's filesystem, escaping the directory where NetMeeting usually stores incoming files (e.g.: C:\Program Files\Received\Received Files). An attacker cannot overwrite already existing files. A dialog box appears at the end of the file transfer, which can alert the user about the malicious action (the dialog box will not be automatically closed). However, the user is not prompted to reject or accept the file transfer, and since NetMeeting conferences can be shutdown by sending malformed packets (for example, by arbitrarily fuzzing data sent in packets interchanged during a chat conversation), the action can be hidden from the user. We're also investigating certain succession of packets that may prevent the dialog box from appearing at all. How to reproduce this vulnerability: - Start a NetMeeting conversation between two peers - Click on the "Transfer Files" button - Click on the "Add Files..." button and choose any file (e.g.: example_example_example.txt) - Attach a debugger to the NetMeeting process (conf.exe) and put a breakpoint on ws2_32!send (e.g.: ntsd -p <conf's pid> / bp send ) - Click on the "Send All" button - The breakpoint set on ws2_32!send() will start popping up. - Examine the stack, and obtain the address of the buffer sent to the send() function, and examine its content - Look for the packet containing the name of the file being sent (e.g.: example_example_example.txt) - You're going to find two packets containing the filename, modify both packets with the debugger so that example_example_example.txt becomes ..\..\..\xample_example.txt - Let the process continue both times, and let the file transfer finish. - Now you can go to the root directory of the drive, and you'll see the file sent there instead of the "Received Files" directory. Of course, a debugger is not needed to exploit the vulnerability, it is just a convenient way to reproduce the vulnerability. We also found that by sending malformed packets in several different moments during a connection, all participants or a specific participant can be thrown out of the conversation. This is not a big issue per se, but it could help to hide malicious actions as the one described above (one can send the file, and immediately after, make the victim's NetMeeting drop the connection, which will make the dialog box of the file transfer disappear.) This vulnerability allows an attacker to execute arbitrary code. For instance, she can upload a specially crafted DLL with the name of one of the DLL's used by NetMeeting into the NetMeeting directory. The next time NetMeeting is executed, the system will try to load these DLL's first from the current directory, and then from C:\winnt\system32. So the system will load the attacker's DLL and execute arbitrary code upon the next execution of NetMeeting. Another possibility is to upload an executable file into the startup directory of win9x. That file will be executed the next time the user starts win9x. *About Core Security Technologies* Core Security Technologies develops strategic security solutions for Fortune 1000 corporations, government agencies and military organizations. The company offers information security software and services designed to assess risk and protect and manage information assets. Headquartered in Boston, MA, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. To learn more about CORE IMPACT, the first comprehensive penetration testing framework, visit: http://www.coresecurity.com/products/coreimpact *DISCLAIMER:* The contents of this advisory are copyright (c) 2003 CORE Security Technologies and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. $Id: NetMeeting-advisory.txt,v 1.11 2003/07/02 15:45:46 carlos Exp $ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to email@example.com and we will forward your request to the appropriate person. This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 Internet Email: firstname.lastname@example.org Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBPwOnHih9+71yA2DNAQGcIQP/SDo5zv6bH7mDjTsIyZHWEyl+u3DtKqUd XfMzMxkTlaK00tqtlAaKjcYZmfjHacgKSSJs+q0/IiLAAwy1ZI2e2OVxUd0g7Fof VcDPmemoQ5ilevOdCJAyebG5BDrh0jjNyO2rpBiMYtK11z/vvO93scGVKAeyy36y MzKZHNkaY1s= =qNHw -----END PGP SIGNATURE-----