Remote Exploitable: Yes (via WEB-DAV)
Local Exploitable: Yes
Patch Status: Vendor released a patch (See Solution)
Discovered by: Nikolas Sotiriu
Disclosure Policy: http://sotiriu.de/policy.html
Thanks to: Thierry Zoller: For the permission to use his
Policy
Background:
DATEV eG is a German Company, which makes Software for tax advisors and
lawyers.
The affected Base System has to be installed on all systems that
need DATEV Software.
Description:
The DATEV Base System (Grundpaket Basis) installes multiple applications,
which are vulnerable to the Insecure DLL Hijacking Vulnerability.
The following applications pass an insufficiently qualified path in
loading external libraries.
2010.08.25: Vulnerability found
2010.08.30: Sent PoC, Advisory, Disclosure policy and planned disclosure
date (2010.09.09) to Vendor
2010.08.30: Initial vendor response
2010.09.07: Vendor wishes to delay the release to the 2010.10.28.
2010.09.07: Changed release date to 2010.10.28.
2010.10.26: Patch is finished. Vendor wishes to delay the release to 2011.
2010.10.26: Changed release date to 2011.01.06.
2011.01.04: Vendor wishes to delay the release again.
2011.01.12: Changed release date to 2011.01.20.
2011.01.20: Release of Advisory
{"id": "SECURITYVULNS:DOC:25532", "bulletinFamily": "software", "title": "NSOADV-2010-010: DATEV Multiple Applications DLL Hijacking Vulnerability", "description": "______________________________________________________________________\r\n-------------------------- NSOADV-2010-010 ---------------------------\r\n\r\n DATEV Multiple Applications DLL Hijacking Vulnerability\r\n______________________________________________________________________\r\n______________________________________________________________________\r\n\r\n 111101111\r\n 11111 00110 00110001111\r\n 111111 01 01 1 11111011111111\r\n 11111 0 11 01 0 11 1 1 111011001\r\n 11111111101 1 11 0110111 1 1111101111\r\n 1001 0 1 10 11 0 10 11 1111111 1 111 111001\r\n 111111111 0 10 1111 0 11 11 111111111 1 1101 10\r\n 00111 0 0 11 00 0 1110 1 1011111111111 1111111 11 100\r\n 10111111 0 01 0 1 1 111110 11 1111111111111 11110000011\r\n 0111111110 0110 1110 1 0 11101111111111111011 11100 00\r\n 01111 0 10 1110 1 011111 1 111111111111111111111101 01\r\n 01110 0 10 111110 110 0 11101111111111111111101111101\r\n 111111 11 0 1111 0 1 1 1 1 111111111111111111111101 111\r\n 111110110 10 0111110 1 0 0 1111111111111111111111111 110\r\n 111 11111 1 1 111 1 10011 101111111111011111111 0 1100\r\n 111 10 110 101011110010 11111111111111111111111 11 0011100\r\n 11 10 001100 0001 111111111111111111 10 11 11110\r\n 11110 00100 00001 10 1 1111 101010001 11111111\r\n 11101 0 1011 10000 00100 11100 00001101 0\r\n 0110 111011011 0110 10001 101 11110\r\n 1011 1 10 101 000001 01 00\r\n 1010 1 11001 1 1 101 10\r\n 110101011 0 101 11110\r\n 110000011\r\n 111\r\n______________________________________________________________________\r\n______________________________________________________________________\r\n\r\n Title: DATEV Multiple Applications DLL Hijacking\r\n Vulnerability\r\n Severity: Medium/High\r\n Advisory ID: NSOADV-2010-010\r\n Found Date: 25.08.2010\r\n Date Reported: 30.08.2010\r\n Release Date: 20.01.2011\r\n Author: Nikolas Sotiriu\r\n Mail: nso-research at sotiriu.de\r\n Website: http://sotiriu.de/\r\n Twitter: http://twitter.com/nsoresearch\r\n Advisory-URL: http://sotiriu.de/adv/NSOADV-2010-010.txt\r\n Vendor: DATEV (http://www.datev.de/)\r\n Affected Products: DATEV Base System (Grundpaket Basis CD23.20)\r\n Affected Component: - DMTGUI2.EXE\r\n - DvInesLogFileViewer.Exe\r\n\r\n Remote Exploitable: Yes (via WEB-DAV)\r\n Local Exploitable: Yes\r\n Patch Status: Vendor released a patch (See Solution)\r\n Discovered by: Nikolas Sotiriu\r\n Disclosure Policy: http://sotiriu.de/policy.html\r\n Thanks to: Thierry Zoller: For the permission to use his\r\n Policy\r\n\r\n\r\n\r\nBackground:\r\n===========\r\n\r\nDATEV eG is a German Company, which makes Software for tax advisors and\r\nlawyers.\r\n\r\nThe affected Base System has to be installed on all systems that\r\nneed DATEV Software.\r\n\r\n\r\n\r\nDescription:\r\n============\r\n\r\nThe DATEV Base System (Grundpaket Basis) installes multiple applications,\r\nwhich are vulnerable to the Insecure DLL Hijacking Vulnerability.\r\n\r\nThe following applications pass an insufficiently qualified path in\r\nloading external libraries.\r\n\r\n\r\nDMTGUI2.EXE\r\n+----------\r\nExtensions: dmt\r\nLibrary: DVBSKNLANG101.dll\r\n\r\n\r\nDvInesLogFileViewer.Exe\r\n+----------------------\r\nExtensions: adl, c02, dof, jrf\r\nLibrary: DvZediTermSrvInfo004.dll\r\n\r\n\r\n\r\nProof of Concept :\r\n==================\r\n\r\nMetasploit:\r\nmsfpayload windows/exec CMD=calc.exe D > <name>.dll\r\n\r\n\r\n\r\nSolution:\r\n=========\r\n\r\nInstall Programm-DVD 25.0\r\n\r\n\r\n\r\nReferences:\r\n===========\r\n\r\nWorkaround Solution: http://support.microsoft.com/kb/2264107\r\n\r\nExploiting DLL Hijacking Flaws:\r\nhttp://blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html\r\n\r\n\r\n\r\nDisclosure Timeline (YYYY/MM/DD):\r\n=================================\r\n\r\n2010.08.25: Vulnerability found\r\n2010.08.30: Sent PoC, Advisory, Disclosure policy and planned disclosure\r\n date (2010.09.09) to Vendor\r\n2010.08.30: Initial vendor response\r\n2010.09.07: Vendor wishes to delay the release to the 2010.10.28.\r\n2010.09.07: Changed release date to 2010.10.28.\r\n2010.10.26: Patch is finished. Vendor wishes to delay the release to 2011.\r\n2010.10.26: Changed release date to 2011.01.06.\r\n2011.01.04: Vendor wishes to delay the release again.\r\n2011.01.12: Changed release date to 2011.01.20.\r\n2011.01.20: Release of Advisory\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n", "published": "2011-01-24T00:00:00", "modified": "2011-01-24T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:25532", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:38", "edition": 1, "viewCount": 171, "enchantments": {"score": {"value": 6.1, "vector": "NONE", "modified": "2018-08-31T11:10:38", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2008-7273", "CVE-2014-2595", "CVE-2015-9286", "CVE-2008-7272"]}, {"type": "nessus", "idList": ["FEDORA_2018-2BDFC9DC67.NASL"]}, {"type": "zdt", "idList": ["1337DAY-ID-25532"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:32652", "SECURITYVULNS:DOC:32659", "SECURITYVULNS:DOC:32654", "SECURITYVULNS:DOC:32656", "SECURITYVULNS:VULN:14755", "SECURITYVULNS:VULN:14753", "SECURITYVULNS:DOC:32651", "SECURITYVULNS:VULN:14720", "SECURITYVULNS:DOC:32660", "SECURITYVULNS:DOC:32658"]}], "modified": "2018-08-31T11:10:38", "rev": 2}, "vulnersScore": 6.1}, "affectedSoftware": []}
{"rst": [{"lastseen": "2021-03-05T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **87[.]242.68.67** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **2**.\n First seen: 2020-01-02T03:00:00, Last seen: 2021-03-05T03:00:00.\n IOC tags: **malware**.\nASN 25532: (First IP 87.242.64.0, Last IP 87.242.127.255).\nASN Name \"MASTERHOSTAS\" and Organisation \"Moscow Russia\".\nASN hosts 72984 domains.\nGEO IP information: City \"\", Country \"Russia\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-01-02T00:00:00", "id": "RST:3DDE5A78-276F-3EF2-BF90-386F0B290C19", "href": "", "published": "2021-03-06T00:00:00", "title": "RST Threat feed. IOC: 87.242.68.67", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-05T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **87[.]242.78.186** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **12**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-03-05T03:00:00.\n IOC tags: **generic**.\nASN 25532: (First IP 87.242.64.0, Last IP 87.242.127.255).\nASN Name \"MASTERHOSTAS\" and Organisation \"Moscow Russia\".\nASN hosts 72984 domains.\nGEO IP information: City \"\", Country \"Russia\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:E4BC9913-519C-3DC4-BE63-622F52AF3696", "href": "", "published": "2021-03-06T00:00:00", "title": "RST Threat feed. IOC: 87.242.78.186", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-05T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **90[.]156.153.161** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **12**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-03-05T03:00:00.\n IOC tags: **generic**.\nASN 25532: (First IP 90.156.128.0, Last IP 90.156.230.255).\nASN Name \"MASTERHOSTAS\" and Organisation \"Moscow Russia\".\nASN hosts 72984 domains.\nGEO IP information: City \"\", Country \"Russia\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:4A370271-FF96-31BB-9229-74851C366EB1", "href": "", "published": "2021-03-06T00:00:00", "title": "RST Threat feed. IOC: 90.156.153.161", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-05T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **90[.]156.196.18** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **12**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-03-05T03:00:00.\n IOC tags: **generic**.\nASN 25532: (First IP 90.156.128.0, Last IP 90.156.230.255).\nASN Name \"MASTERHOSTAS\" and Organisation \"Moscow Russia\".\nASN hosts 72984 domains.\nGEO IP information: City \"\", Country \"Russia\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:3D9A0944-8EFF-3414-B642-2564E8F9D08D", "href": "", "published": "2021-03-06T00:00:00", "title": "RST Threat feed. IOC: 90.156.196.18", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-05T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **90[.]156.201.26** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **47**.\n First seen: 2021-02-26T03:00:00, Last seen: 2021-03-05T03:00:00.\n IOC tags: **generic**.\nWe found that the IOC is used by: **virut**.\nASN 25532: (First IP 90.156.128.0, Last IP 90.156.230.255).\nASN Name \"MASTERHOSTAS\" and Organisation \"Moscow Russia\".\nASN hosts 72984 domains.\nGEO IP information: City \"\", Country \"Russia\".\nIn according to RST Threat Feed the IP is related to **umvita.com** malicious domains.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-02-26T00:00:00", "id": "RST:36AB98AF-89CC-3907-A5BF-C047DBC95C27", "href": "", "published": "2021-03-06T00:00:00", "title": "RST Threat feed. IOC: 90.156.201.26", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-05T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **90[.]156.201.27** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **47**.\n First seen: 2021-02-26T03:00:00, Last seen: 2021-03-05T03:00:00.\n IOC tags: **generic**.\nWe found that the IOC is used by: **virut**.\nASN 25532: (First IP 90.156.128.0, Last IP 90.156.230.255).\nASN Name \"MASTERHOSTAS\" and Organisation \"Moscow Russia\".\nASN hosts 72984 domains.\nGEO IP information: City \"\", Country \"Russia\".\nIn according to RST Threat Feed the IP is related to **umvita.com** malicious domains.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-02-26T00:00:00", "id": "RST:AC566C85-1655-31D4-B7A9-1E4ACA77FADC", "href": "", "published": "2021-03-06T00:00:00", "title": "RST Threat feed. IOC: 90.156.201.27", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-05T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **90[.]156.201.55** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **47**.\n First seen: 2021-02-26T03:00:00, Last seen: 2021-03-05T03:00:00.\n IOC tags: **generic**.\nWe found that the IOC is used by: **virut**.\nASN 25532: (First IP 90.156.128.0, Last IP 90.156.230.255).\nASN Name \"MASTERHOSTAS\" and Organisation \"Moscow Russia\".\nASN hosts 72984 domains.\nGEO IP information: City \"\", Country \"Russia\".\nIn according to RST Threat Feed the IP is related to **umvita.com** malicious domains.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-02-26T00:00:00", "id": "RST:18433E0E-91ED-3824-967D-A7E7DB1227E7", "href": "", "published": "2021-03-06T00:00:00", "title": "RST Threat feed. IOC: 90.156.201.55", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-05T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **90[.]156.201.29** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **47**.\n First seen: 2021-02-26T03:00:00, Last seen: 2021-03-05T03:00:00.\n IOC tags: **generic**.\nWe found that the IOC is used by: **virut**.\nASN 25532: (First IP 90.156.128.0, Last IP 90.156.230.255).\nASN Name \"MASTERHOSTAS\" and Organisation \"Moscow Russia\".\nASN hosts 72984 domains.\nGEO IP information: City \"\", Country \"Russia\".\nIn according to RST Threat Feed the IP is related to **umvita.com** malicious domains.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-02-26T00:00:00", "id": "RST:426A5DFD-5FD0-3796-A657-7A3F8300078D", "href": "", "published": "2021-03-06T00:00:00", "title": "RST Threat feed. IOC: 90.156.201.29", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-05T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **217[.]16.18.219** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **12**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-03-05T03:00:00.\n IOC tags: **generic**.\nASN 25532: (First IP 217.16.16.0, Last IP 217.16.31.255).\nASN Name \"MASTERHOSTAS\" and Organisation \"Moscow Russia\".\nASN hosts 72984 domains.\nGEO IP information: City \"\", Country \"Russia\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:171D69E7-4274-3973-A500-6759D0FA9CF5", "href": "", "published": "2021-03-06T00:00:00", "title": "RST Threat feed. IOC: 217.16.18.219", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-05T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **83[.]222.5.124** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **12**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-03-05T03:00:00.\n IOC tags: **generic**.\nASN 25532: (First IP 83.222.0.0, Last IP 83.222.31.255).\nASN Name \"MASTERHOSTAS\" and Organisation \"Moscow Russia\".\nASN hosts 72984 domains.\nGEO IP information: City \"\", Country \"Russia\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:9B153C7E-2B82-3ADE-B1AD-68F534B6ACE7", "href": "", "published": "2021-03-06T00:00:00", "title": "RST Threat feed. IOC: 83.222.5.124", "type": "rst", "cvss": {}}], "cve": [{"lastseen": "2021-02-02T06:14:28", "description": "Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leveraging a permanent authentication token obtained from a query string.", "edition": 7, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-02-12T01:15:00", "title": "CVE-2014-2595", "type": "cve", "cwe": ["CWE-613"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-2595"], "modified": "2020-02-20T15:55:00", "cpe": ["cpe:/a:barracuda:web_application_firewall:7.8.1.013"], "id": "CVE-2014-2595", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2595", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:barracuda:web_application_firewall:7.8.1.013:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:35:21", "description": "A symlink issue exists in Iceweasel-firegpg before 0.6 due to insecure tempfile handling.", "edition": 8, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-11-18T22:15:00", "title": "CVE-2008-7273", "type": "cve", "cwe": ["CWE-59"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-7273"], "modified": "2019-11-20T15:56:00", "cpe": [], "id": "CVE-2008-7273", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7273", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}]}
