-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
==========================================================================
==========================================================================
Ultr@VNC Viewer 1.0.8.2 (vncviewer.exe) dll hijacking reloaded
Author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://www.shinnai.altervista.org/
This was written for educational purpose. Use it at your own risk.
Author will be not responsible for any damage.
Tested on:
Windows 7 professional full patched
==========================================================================
==========================================================================
DESCRIPTION:
I think this is just a logic flaw, infact this program is still
vulnerable to dll hijacking simply creating, in the same folder of
one of below listed files, these folders:
"%commonprogramfiles%\microsoft shared\windows live"
and then put into "windows live" folder our dll.
E.g.
C:\>dir /S test
Volume in drive C has no label.
Volume Serial Number is XXXX-YYYY
Directory of C:\test
14/10/2010 11:29 <DIR> .
14/10/2010 11:29 <DIR> ..
14/10/2010 11:29 <DIR> %commonprogramfiles%
07/10/2010 13:22 8 test.xspf
1 File(s) 8 bytes
Directory of C:\test\%commonprogramfiles%
14/10/2010 11:29 <DIR> .
14/10/2010 11:29 <DIR> ..
14/10/2010 11:29 <DIR> microsoft shared
0 File(s) 0 bytes
Directory of C:\test\%commonprogramfiles%\microsoft shared
14/10/2010 11:29 <DIR> .
14/10/2010 11:29 <DIR> ..
14/10/2010 11:29 <DIR> windows live
0 File(s) 0 bytes
Directory of C:\test\%commonprogramfiles%\microsoft shared\windows live
14/10/2010 11:29 <DIR> .
14/10/2010 11:29 <DIR> ..
14/10/2010 09:36 14,336 vnclang.dll
1 File(s) 14,336 bytes
==========================================================================
==========================================================================
INFO:
Prg.: vncviewer.exe
Ver.: 1.0.8.2
Ext.: vnc
dll: vnclang.dll
==========================================================================
==========================================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
iQIcBAEBAgAGBQJMtvlvAAoJELleC2c7YdP1O3cQAJd3+FfCv570jk+/zbsodajL
8WArneG1znAkDfIWz0emM+1pW+FCJkb/AdpM7m1AIiFfYgwVZ2kFo6R0JgbUE7CM
YHy9dTSFwCDbL30EkOoYhvnIHbW0eG5/moOPjpFdpR91ovKZ7gGq9IGXA+x+Q+XO
bmAIRJYMwVGr+8d1n0WRCFXuulujKUsiMIm8RgzoneaPsqdVhSTCFlynhYfd2ufI
Q8jebG/fQtmJXg0/FckoqzV3awi8kaAepOHXF6l96xj0pun3Z0OmGcixJI0o3SCs
Scva5ZttQHvI+XVk7yzxyykd1hb/Z0uVGek7oSfz5HVhBnKPyWv9U7cK46uXuEvZ
k99/ADhCTnbdO9nzL/ife0vM+sOY2rd3IWOqkhhUMTCG+2OPq6j710pDBmS5PJ+Z
vCrnTPJ3VG6K7MJCPTPkD5XAZmBUH/Kf7PIwSf1OmlXsBQMFa/0dgHqwjcl9uAfT
OZ6kupLgwJ1AbZnb5q2RsMsP1DCaXnMj9L/4w3JENxWRq1M/8L/U+0w7Dd8H5Wz/
dJVqTXX3jdJvUDcGxcBjewOArmQ4cjFqz96RssZgA6Aq/T2NOz3MEHDiF0tbSyOh
zMVqsOtrVxJebdvyVcAhjA+afmfVSRMtpzfOs4A6XKAUcbJLfuSjOP5YDASGe++R
w9T6U0+V55uvbeLEHq/h
=nHAA
-----END PGP SIGNATURE-----