Document Title: =============== LAN.FS Messenger v2.4 - Command Execution Vulnerability Date: ===== 2012-11-13 References: =========== http://www.vulnerability-lab.com/get_content.php?id=760 VL-ID: ===== 760 Common Vulnerability Scoring System: ==================================== 8.2 Introduction: ============= Lan.FS is a very quick, small and compact freeware networktool (for non-commercial use only) for Windows 2000/XP/2003/Vista & Windows 7. It is easy to handle for beginners and provides various functions for experts, too. Some features are: Messenger with animated emoticons Filetransfer service with statusdisplay Remote Desktop functions to telecommand other computers in your network Remote Shell function for access to the systemprompt of other computers in your network. Access to the whole filesystem of other computers Windows commands (reboot, shutdown, user switch, run) on other computers These functions are provided in your Local Area Network. Innovative aspects concerning networkprograms are: Lan.FS is ready for operation directly after finishing installation. You do not need specialised knowledge about networks and networkadministration Lan.FS does not feature needless functions: You decide what to do. Lan.FS works Windows-Workinggroups independent Lan.FS works in WLAN networks (even if they are not absolutely stable) Lan.FS provides a substantial support and trouble shooting Lan.FS is Vista capable (Copy of the Vendor Homepage: http://www.lan-fs.de/ ) Abstract: ========= The Vulnerability Laboratory Research Team discovered a command execution vulnerability in the official LAN.FS v2.4 Messenger Software. Report-Timeline: ================ 2012-11-12: Public Disclosure Status: ======== Published Exploitation-Technique: ======================= Remote Severity: ========= Critical Details: ======== A command execution vulnerability is detected in the official LAN.FS v2.4 Messenger Software. The vulnerability allows an remote attacker without user inter action to execute own system specific codes to compromise the connected client system in the lan. The command execution vulnerability is located in the Netzwerkeinstellungen - Administration (Computer editieren, add & co.) > Computersettings (Computereinstellungen) module with the bound vulnerability Computername software input field. Remote attackers can change the own computername to execute malicious system commands or script code attacks against the connected client via Messenger Service (Nachrichtendienst). The windows path system commands/request or the malicious injected script code will be directly executed out of the Nachrichtendienst web context. Successful exploitation of the vulnerability results in system compromise via command injection/execution, persistent script code injections, persistent software context manipulation, external malware loads or malicious external redirects. Exploitation of the vulnerability requires a connected conversation but no direct user inter action. The commands or script code will be executed when the message is processing to arrive. Vulnerable Software Section(s): [+] Local Area Network - Computer Details Vulnerable Software Module(s): [+] Computtersettings Vulnerable Software Parameter(s): [+] Computername Affected Software Module(s): [+] Nachrichtendienst (Messenger Service) Proof of Concept: ================= The software validation vulnerability can be exploited by remote attacker without required user interaction or application user account. For demonstration or reproduce ... PoC: Command Execution or Injection (Path, Files & CMD) %20../'+C:\ProgramData\Lan.FS\ %20../'+C:\ProgramData\Lan.FS\Profile\ %20../'+C:\Program Files (x86)\Lan.FS

Review: Command Execution - Messenger (Windows7) Logs