[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] nProtect solutions arbitrary file download and
From: Park Gyutae <saintlinu () yahoo ! co ! kr>
Date: 2005-07-29 4:22:54
Message-ID: 20050729042254.14702.qmail () web70512 ! mail ! krs ! yahoo ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
--------------------------------------------------------------------------------------------------------
Title: nProtect:Netizen arbitrary file download and execute vulnerability
nProtectPersonal Web Service arbitrary file download and execute vulnerability
Discoverer: PARK, GYU TAE (saintlinu@null2root.org)
Neo
Advisory No.: NRVA05-04
NRVA05-05
Critical: High critical
Impact: Gain remote user's privilige
Where: From remote
Operating System: Windows Only
Solution: Patched
Notice: 07. 01. 2005 initiate notify
07. 04. 2005 Second notify
07. 26. 2005 Patched
07. 29. 2005 Disclosure vulnerability
Description:
The nProtect:Netizen and nProtectPersonal Web Service are an antivirus solutions.
It defends user from Internet about well-known hack tools and viruses something
When it need update and patch itself then download from web site such as update.nprotect.net
that time nProtect update program, npdownv.exe, DO NOT CHECK THAT update site URL!!!
We can change URL, update configuration file and so on
But npdownv.exe DO CHECK files that downloaded from update site compressed WITH PASSWORD!!!
this means npdownv.exe already known password for decompress
I found password in npdownv.exe by REVERSE ENGINEEGERING
and Neo modified liveup.haz, configuration file
When user accees the phishing page then downloaded trojan from hacker URL
See following detail describe:
EXPLOIT NOT INCLUDED HERE
Related link:
http://www.nprotect.co.kr/service/nProtectPersonal/nprotect/npos/kor/personal_npos.html
--------------------------------------------------------------------------------------------------------
Special thanks for My best group Null@root.
PS. I'm very sorry for poor my konglish
__________________________________________________
µÎ À¯ ¾ßÈÄ!?
½ºÆÔ¶§¹®¿¡ ¥Áõ³ª¼¼¿ä? ¾ßÈÄ! ¸ÞÀÏÀÇ ½ºÆÔ ÷´Ü ±â¼ú·Î ¸ÞÀÏÀ» º¸È£ÇÕ´Ï´Ù
http://mail.yahoo.co.kr
[Attachment #5 (text/html)]
<P>--------------------------------------------------------------------------------------------------------</P>
<P>Title: \
nProtect:Netizen arbitrary file download and execute \
vulnerability<BR> \
nProtectPersonal Web Service arbitrary file download and execute vulnerability</P> \
<P>Discoverer: PARK, GYU TAE (<A \
href="mailto:saintlinu@null2root.org">saintlinu@null2root.org</A>)<BR> &n \
bsp; Neo</P> \
<P>Advisory No.: \
NRVA05-04<BR> \
NRVA05-05</P> <P>Critical: High \
critical</P> <P>Impact: Gain \
remote user's privilige</P> \
<P>Where: From \
remote</P> <P>Operating System: Windows Only</P>
<P>Solution: Patched </P>
<P>Notice: 07. 01. 2005 \
initiate notify<BR> \
07. 04. 2005 Second notify<BR> \
07. 26. 2005 Patched<BR> \
07. 29. 2005 Disclosure vulnerability</P> <P>Description: </P>
<P>The nProtect:Netizen and nProtectPersonal Web Service are an antivirus \
solutions.<BR> <BR>It defends user from Internet about well-known hack tools and viruses \
something</P> <P>When it need update and patch itself then download from web site such as \
update.nprotect.net</P> <P>that time nProtect update program, npdownv.exe, DO NOT CHECK THAT \
update site URL!!!</P> <P>We can change URL, update configuration file and so on</P>
<P>But npdownv.exe DO CHECK files that downloaded from update site compressed WITH \
PASSWORD!!!</P> <P>this means npdownv.exe already known password for decompress </P>
<P>I found password in npdownv.exe by REVERSE ENGINEEGERING </P>
<P>and Neo modified liveup.haz, configuration file</P>
<P>When user accees the phishing page then downloaded trojan from hacker URL</P>
<P>See following detail describe:</P>
<P>EXPLOIT NOT INCLUDED HERE</P>
<P>Related link:<BR><A \
href="http://www.nprotect.co.kr/service/nProtectPersonal/nprotect/npos/kor/personal_npos.html">h \
ttp://www.nprotect.co.kr/service/nProtectPersonal/nprotect/npos/kor/personal_npos.html</A></P> \
<P>--------------------------------------------------------------------------------------------------------</P>
<P>Special thanks for My best group <A href="mailto:Null@root">Null@root</A>. <BR>PS. I'm very \
sorry for poor my konglish </P> \
<P> </P><p>__________________________________________________<br>µÎ À¯ \
¾ßÈÄ!?<br>½ºÆÔ¶§¹®¿¡ ¥Áõ³ª¼¼¿ä? ¾ßÈÄ! ¸ÞÀÏÀÇ ½ºÆÔ ÷´Ü ±â¼ú·Î ¸ÞÀÏÀ» º¸È£ÇÕ´Ï´Ù \
<br>http://mail.yahoo.co.kr <img \
src='http://kr.recptproxy.mail.yahoo.com/updaterc?mid=4fKCNg17acsm5juzXEP9z8g--&extra=0' \
width=0 height=0>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic