Officescan server not updating Naughty sex chat sample
Remember: digital signatures only tells you about the creator of the message, not the intent of the creator :) All in all I could identify several weaknessess of Office Scan: the following video demonstrates the attack: This attack is realistic when the attacker is able to intercept client GUIDs from the network or wants to escalate her privileges locally.With another infoleak it might be possible to improve the attack to be CVSS 10.0.As such, they are not trivial to fix or even decide if they are in fact vulnerabilities.This publication comes after months of discussion with the vendor in accordance with the disclosure policy of the HP Zero Day Initiative.Now I would like to share a series of little issues which can be chained together to achieve remote code execution.
This is a simple GET request in the form of: As you can see, this algorithm is basically a simple polyalphabetic cipher (similar to the Vigenere cipher), that I could easily recreate independently from the original library: after running a quick loop that encrypted 1KB strings of all printable characters (1024 times ‘A’, 1024 times ‘B’, etc.), I had a database that could be used to encrypt and decrypt virtually anything.
Since this software looked quite complex (big attack surface) I decided to take a closer look at it.
After installing a trial version (10.6 SP1) I could already tell that this software will worth the effort: And there are possibly many other fragile parts of the system.
Other exploit vectors based (partially) on these findings are also possible, the software is big and I haven’t looked at most of it yet.
I notified the vendor about the first infoleak on 3 January 2014.