Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:25532
HistoryJan 24, 2011 - 12:00 a.m.

NSOADV-2010-010: DATEV Multiple Applications DLL Hijacking Vulnerability

2011-01-2400:00:00
vulners.com
207

-------------------------- NSOADV-2010-010 ---------------------------

  DATEV Multiple Applications DLL Hijacking Vulnerability


                           111101111
                    11111 00110 00110001111
               111111 01 01 1 11111011111111
            11111  0 11 01 0 11 1 1  111011001
         11111111101 1 11 0110111  1    1111101111
       1001  0 1 10 11 0 10 11 1111111  1 111 111001
     111111111 0 10 1111 0 11 11 111111111 1 1101 10
    00111 0 0 11 00 0 1110 1 1011111111111 1111111 11  100
   10111111 0 01 0  1 1 111110 11 1111111111111  11110000011
   0111111110 0110 1110 1 0 11101111111111111011 11100  00
   01111 0 10 1110 1 011111 1 111111111111111111111101 01
   01110 0 10 111110 110 0 11101111111111111111101111101
  111111 11 0 1111 0 1 1 1 1 111111111111111111111101 111
  111110110 10 0111110 1 0 0 1111111111111111111111111 110
111 11111 1  1 111 1   10011 101111111111011111111 0   1100

111 10 110 101011110010 11111111111111111111111 11 0011100
11 10 001100 0001 111111111111111111 10 11 11110
11110 00100 00001 10 1 1111 101010001 11111111
11101 0 1011 10000 00100 11100 00001101 0
0110 111011011 0110 10001 101 11110
1011 1 10 101 000001 01 00
1010 1 11001 1 1 101 10
110101011 0 101 11110
110000011
111



Title: DATEV Multiple Applications DLL Hijacking
Vulnerability
Severity: Medium/High
Advisory ID: NSOADV-2010-010
Found Date: 25.08.2010
Date Reported: 30.08.2010
Release Date: 20.01.2011
Author: Nikolas Sotiriu
Mail: nso-research at sotiriu.de
Website: http://sotiriu.de/
Twitter: http://twitter.com/nsoresearch
Advisory-URL: http://sotiriu.de/adv/NSOADV-2010-010.txt
Vendor: DATEV (http://www.datev.de/)
Affected Products: DATEV Base System (Grundpaket Basis CD23.20)
Affected Component: - DMTGUI2.EXE
- DvInesLogFileViewer.Exe

Remote Exploitable: Yes (via WEB-DAV)
Local Exploitable: Yes
Patch Status: Vendor released a patch (See Solution)
Discovered by: Nikolas Sotiriu
Disclosure Policy: http://sotiriu.de/policy.html
Thanks to: Thierry Zoller: For the permission to use his
Policy

Background:

DATEV eG is a German Company, which makes Software for tax advisors and
lawyers.

The affected Base System has to be installed on all systems that
need DATEV Software.

Description:

The DATEV Base System (Grundpaket Basis) installes multiple applications,
which are vulnerable to the Insecure DLL Hijacking Vulnerability.

The following applications pass an insufficiently qualified path in
loading external libraries.

DMTGUI2.EXE
±---------
Extensions: dmt
Library: DVBSKNLANG101.dll

DvInesLogFileViewer.Exe
±---------------------
Extensions: adl, c02, dof, jrf
Library: DvZediTermSrvInfo004.dll

Proof of Concept :

Metasploit:
msfpayload windows/exec CMD=calc.exe D > <name>.dll

Solution:

Install Programm-DVD 25.0

References:

Workaround Solution: http://support.microsoft.com/kb/2264107

Exploiting DLL Hijacking Flaws:
http://blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html

Disclosure Timeline (YYYY/MM/DD):

2010.08.25: Vulnerability found
2010.08.30: Sent PoC, Advisory, Disclosure policy and planned disclosure
date (2010.09.09) to Vendor
2010.08.30: Initial vendor response
2010.09.07: Vendor wishes to delay the release to the 2010.10.28.
2010.09.07: Changed release date to 2010.10.28.
2010.10.26: Patch is finished. Vendor wishes to delay the release to 2011.
2010.10.26: Changed release date to 2011.01.06.
2011.01.04: Vendor wishes to delay the release again.
2011.01.12: Changed release date to 2011.01.20.
2011.01.20: Release of Advisory