______________________________________________________________________ -------------------------- NSOADV-2010-010 --------------------------- DATEV Multiple Applications DLL Hijacking Vulnerability ______________________________________________________________________ ______________________________________________________________________ 111101111 11111 00110 00110001111 111111 01 01 1 11111011111111 11111 0 11 01 0 11 1 1 111011001 11111111101 1 11 0110111 1 1111101111 1001 0 1 10 11 0 10 11 1111111 1 111 111001 111111111 0 10 1111 0 11 11 111111111 1 1101 10 00111 0 0 11 00 0 1110 1 1011111111111 1111111 11 100 10111111 0 01 0 1 1 111110 11 1111111111111 11110000011 0111111110 0110 1110 1 0 11101111111111111011 11100 00 01111 0 10 1110 1 011111 1 111111111111111111111101 01 01110 0 10 111110 110 0 11101111111111111111101111101 111111 11 0 1111 0 1 1 1 1 111111111111111111111101 111 111110110 10 0111110 1 0 0 1111111111111111111111111 110 111 11111 1 1 111 1 10011 101111111111011111111 0 1100 111 10 110 101011110010 11111111111111111111111 11 0011100 11 10 001100 0001 111111111111111111 10 11 11110 11110 00100 00001 10 1 1111 101010001 11111111 11101 0 1011 10000 00100 11100 00001101 0 0110 111011011 0110 10001 101 11110 1011 1 10 101 000001 01 00 1010 1 11001 1 1 101 10 110101011 0 101 11110 110000011 111 ______________________________________________________________________ ______________________________________________________________________ Title: DATEV Multiple Applications DLL Hijacking Vulnerability Severity: Medium/High Advisory ID: NSOADV-2010-010 CVE Number: CVE-2010-xxxx Found Date: 25.08.2010 Date Reported: 30.08.2010 Release Date: 20.01.2011 Author: Nikolas Sotiriu Mail: nso-research at sotiriu.de Website: http://sotiriu.de/ Twitter: http://twitter.com/nsoresearch Advisory-URL: http://sotiriu.de/adv/NSOADV-2010-010.txt Vendor: DATEV (http://www.datev.de/) Affected Products: DATEV Base System (Grundpaket Basis CD23.20) Affected Component: - DMTGUI2.EXE - DvInesLogFileViewer.Exe Remote Exploitable: Yes (via WEB-DAV) Local Exploitable: Yes Patch Status: Vendor released a patch (See Solution) Discovered by: Nikolas Sotiriu Disclosure Policy: http://sotiriu.de/policy.html Thanks to: Thierry Zoller: For the permission to use his Policy Background: =========== DATEV eG is a German Company, which makes Software for tax advisors and lawyers. The affected Base System has to be installed on all systems that need DATEV Software. Description: ============ The DATEV Base System (Grundpaket Basis) installes multiple applications, which are vulnerable to the Insecure DLL Hijacking Vulnerability. The following applications pass an insufficiently qualified path in loading external libraries. DMTGUI2.EXE +---------- Extensions: dmt Library: DVBSKNLANG101.dll DvInesLogFileViewer.Exe +---------------------- Extensions: adl, c02, dof, jrf Library: DvZediTermSrvInfo004.dll Proof of Concept : ================== Metasploit: msfpayload windows/exec CMD=calc.exe D > .dll Solution: ========= Install Programm-DVD 25.0 References: =========== Workaround Solution: http://support.microsoft.com/kb/2264107 Exploiting DLL Hijacking Flaws: http://blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html Disclosure Timeline (YYYY/MM/DD): ================================= 2010.08.25: Vulnerability found 2010.08.30: Sent PoC, Advisory, Disclosure policy and planned disclosure date (2010.09.09) to Vendor 2010.08.30: Initial vendor response 2010.09.07: Vendor wishes to delay the release to the 2010.10.28. 2010.09.07: Changed release date to 2010.10.28. 2010.10.26: Patch is finished. Vendor wishes to delay the release to 2011. 2010.10.26: Changed release date to 2011.01.06. 2011.01.04: Vendor wishes to delay the release again. 2011.01.12: Changed release date to 2011.01.20. 2011.01.20: Release of Advisory