Title: Antamedia Internet Cafe Software 7.1 Insecure Permissions/DLL Loading
Advisory ID: ZSL-2011-5005
Type: Local/Remote
Impact: System Access, Privilege Escalation
Risk: (4/5)
Release Date: 03.04.2011
Internet Cafe Software – Cyber Cafe software is a worldwide top selling solution for CyberCafe management and game center control. It protects your computers from unauthorized usage and helps with customer billing. Many features like POS, print manager, console controller, smart cards, credit card billing, makes it suitable for any cyber cafe, hotel, airport terminals, game center.
Antamedia ICS suffers from a dll hijacking vulnerability and improper ACL permissions that enables the attacker to execute arbitrary code or change the binary with another of his/her choice because of the ©Change perm for the group Everyone (AICLogin.exe, AICCore.exe). The vulnerable extensions are .fp3 and .swf thru qwave.dll library.
Antamedia - <http://www.antamediacafe.com>
7.1.1.0
Microsoft Windows XP Professional SP3 (EN)
N/A
Vulnerability discovered by Gjoko Krstic - <[email protected]>
[1] <http://securityreason.com/exploitalert/10271>
[2] <http://packetstormsecurity.org/files/100029>
[03.04.2011] - Initial release
[04.04.2011] - Added reference [1] and [2]
Zero Science Lab
Web: <http://www.zeroscience.mk>
e-mail: [email protected]
<html><body><p>/*
Antamedia Internet Cafe Software 7.1 Insecure Permissions/DLL Loading
Vendor: Antamedia
Product Web Page: http://www.antamediacafe.com
Affected Version: 7.1.1.0
Summary: Internet Cafe Software � Cyber Cafe software is a worldwide top
selling solution for CyberCafe management and game center control. It
protects your computers from unauthorized usage and helps with customer
billing. Many features like POS, print manager, console controller, smart
cards, credit card billing, makes it suitable for any cyber cafe, hotel,
airport terminals, game center.
Desc: Antamedia ICS suffers from a dll hijacking vulnerability and improper
ACL permissions that enables the attacker to execute arbitrary code or change
the binary with another of his/her choice because of the (C)Change perm for the
group Everyone (AICLogin.exe, AICCore.exe). The vulnerable extensions are .fp3
and .swf thru qwave.dll library.
Tested on Microsoft Windows XP Professional SP3 (EN)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
liquidworm gmail com
Zero Science Lab - http://www.zeroscience.mk
Advisory ID: ZSL-2011-5005
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5005.php
26.03.2011
*/
#include <windows.h>
BOOL WINAPI DllMain (HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
switch (fdwReason)
{
case DLL_PROCESS_ATTACH:
dll_mll();
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
int dll_mll()
{
MessageBox(0, "DLL Hijacked!", "DLL Message", MB_OK);
}</windows.h></p></body></html>