<DIV>Dear F/D Mailling</DIV>
<DIV>-----------[Cut Cut]--------------------------------</DIV>
<DIV>Title: HAURI live update. Arbitrary remote file download and execute vulnerability</DIV>
<DIV>Discoverer: Original discoverer Neo<BR> Original exploit improver PARK, GYU TAE (<A href="mailto:saintlinu@null2root.org">saintlinu@null2root.org</A>)</DIV>
<DIV>Advisory No.: NRVA05-03</DIV>
<DIV>Critical: High Critical</DIV>
<DIV>Impact: Arbitrary file download from Internet and executable</DIV>
<DIV>Where: From remote</DIV>
<DIV>Operating System: Windows Only</DIV>
<DIV>Solution: Patched</DIV>
<DIV>Affected S/W: <A href="http://update.nprotect.net/newlivecall/engine/livecall.cab#version=2004,6,25,1">http://update.nprotect.net/newlivecall/engine/livecall.cab#version=2004,6,25,1</A> by Neo<BR> <A href="http://fx.HAURI.net/HProduct/livesuite/XXXXXXX/CLIENT/LiveSuite/web/HLiveRobotWeb.cab#version=2005,6,21,1">http://fx.HAURI.net/HProduct/livesuite/XXXXXXX/CLIENT/LiveSuite/web/HLiveRobotWeb.cab#version=2005,6,21,1</A> by Saintlinu</DIV>
<DIV>Notice: 06. 29. 2005 initiated<BR> 06. 30. 2005 2ND No response<BR> 07. 05. 2005 Vendor responded and will be patched until 07. 22. 2005<BR> 07. 21. 2005 patched <BR> 07. 26. 2005 Disclosure vulnerability </DIV>
<DIV>Description: </DIV>
<DIV>HAURI is an anti virus vendor in Korea</DIV>
<DIV>The livesuite offers services to users scanning and treating virus, worm, hack tools and so on from Internet</DIV>
<DIV>See following detail describe:</DIV>
<DIV>[The first half]</DIV>
<DIV>Neo discovered vulnerability at <A href="http://update.nprotect.net/newlivecall/livecall.html">http://update.nprotect.net/newlivecall/livecall.html</A><BR>HAURI never check parameters When updates from Internet update server<BR>also HAURI never check file's checksum or hash value.</DIV>
<DIV>He modified liveup.haz file, it's live update configuration file<BR>that file just compressed by ZIP compressor.</DIV>
<DIV>if HAURI user access phishing page such as can use BBS that has vulnerability such as cross site script <BR>then evil software downloaded without any restrict</DIV>
<DIV>evil software like cmd.exe if exist then HAURI overwrites.</DIV>
<DIV>[The latter half]</DIV>
<DIV>As you seen above. Saintlinu improved Neo's exploit. </DIV>
<DIV>Saintlinu found HAURI LIVE UPDATE program at XXX Commercial companies in Korea</DIV>
<DIV>HAURI checked files in liveup.haz but that's all.<BR>File's checksum is date and time when it made</DIV>
<DIV>therefore we can exploit that vulnerability. </DIV>
<DIV>Technical Describe:</DIV>
<DIV>NOT INCLUDED HERE</DIV>
<DIV>-----------[Cut Cut]--------------------------------</DIV>
<DIV>I higher respect Neo</DIV>
<DIV>Special thanks for My best group <A href="mailto:Null@root">Null@root</A>.</DIV>
<DIV>PS. I'm very sorry for poor my konglish</DIV><p>
<hr size=1>
<style type='text/css'>
<!--
a.ftag:link {text-decoration:none; color:2A47AA}
a.ftag:visited {text-decoration:none; color:2A47AA}
a.ftag:hover {text-decoration:underline; color:2A47AA}
a.ftag:active {text-decoration:none; color:2A47AA}
.ftag {font-family:±¼¸²,µ¸¿ò,arial; font-size: 80%; line-height: 140%; font-size:9pt; color:#666666}
-->
</style>
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td style="padding:10 0 0 0" class=ftag>
<img src="http://img.yahoo.co.kr/mail/footer/ic_mail.gif" width="21" height="11"> ¹«·á 1GB¿ë·®!, ´õÀÌ»ó ¿ë·® °í¹Î¾ø´Â <b><a href="http://mail.yahoo.co.kr" class=ftag>¾ßÈÄ! ¸ÞÀÏ</a></b>À» ½áº¸¼¼¿ä.
</td>
</tr>
<tr>
<td width="50%" height="5">
</td>
</tr>
</table>
<table width="617" border="0" cellspacing="0" cellpadding="0">
<tr>
<td style="border-left:1px solid #CCCCCC;border-right:1px solid #CCCCCC;border-top:1px solid #CCCCCC;border-bottom:1px solid #CCCCCC;padding:8 8 8 8">
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td>
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td width="42" valign="top">
<a href="http://us.rd.yahoo.com/mail_kr/taglines/mobile/*http://kr.ring.yahoo.com"><img src="http://img.yahoo.co.kr/ring/event/peoplering_footer.gif" width="32" height="32" border="0"></a>
</td>
<td valign="top" class=ftag>
<b><a href="http://us.rd.yahoo.com/mail_kr/taglines/mobile/*http://kr.ring.yahoo.com" class=ftag>´ëÇѹα¹ ºí·Î±×°¡ ¸ðÀÎ °÷!</a></b><br>
ÇÇÇøµ¿¡¼ ³×À̹ö, À̱۷罺¸¦ ¸¸³ª´Ù
</td>
</tr>
</table>
</td>
<td width="10"></td>
<td width="1" background="http://img.yahoo.co.kr/mail/footer/bg_dot01.gif"></td>
<td width="10"></td>
<td>
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td width="42" valign="top">
<a href="http://us.rd.yahoo.com/mail_kr/taglines/peoplering/*http://kr.mobile.yahoo.com" class=ftag><img src="http://img.yahoo.co.kr/mail/footer/ic_mobile.gif" width="32" height="32" border="0"></a>
</td>
<td valign="top" class=ftag>
<b><a href="http://us.rd.yahoo.com/mail_kr/taglines/peoplering/*http://kr.mobile.yahoo.com" class=ftag>¾ßÈÄ! ¸ð¹ÙÀÏ</a></b><br>
ÃֽŠÈÞ´ëÆù Á¤º¸, º§¼Ò¸®, ij¸¯ÅÍ, ¹®ÀÚ¸Þ¼¼Áö
</td>
</tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
</table>
<img src='http://kr.recptproxy.mail.yahoo.com/updaterc?mid=47r3ozEsbZ_Fauyrs8xnp6A--&extra=0' width=0 height=0>