From: Nicholas Staff (nick.staffCOMCAST.NET)
Date: Sun Aug 07 2005 - 08:41:12 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Note - AOL gave me a press release but I lost it because it was worthless.

Note - this is an elevation of privileges exploit that requires local
access, so if that turns you off no need to read any further (unless a rant
about AOL is what you're looking for). There is a secondary exploit
detailed here as well that has to do with using other users saved AOL
passwords to access their AOL accounts.

Editorial (skip to next section if you just want the exploit)
Sometime late last year I had to contact AOL for a friend of mine and after
half an hour of hearing the most useless answers and reading the most base
of help files I was getting kinda angry. I made the shift into pissed off
somewhere between reading my 900th and 1000th billboard on AOL's site
touting "the new secure AOL". I correctly assumed that any group of people
incapable of maintaining a functioning help system couldn't possibly manage
the minutia of application security, so I decided as payback for the
frustration they caused me I'd find an exploit and show them for the frauds
they were. Five minutes later I had the exploit below (The exploit is not
complex - finding it in five minutes doesn't make me smart - in fact it's so
common I hesitate to ask what security AOL does test if they missed this
one).

Exploit:
Elevate any user account to Administrator on Windows 2000, Windows XP
Professional, Windows Server 200x, etc.

Requirements:
An installation of AOL 9.0 security edition (any version of 9.0 and I'd
wager 8.0 too or for that matter any version with the AOL Connectivity
Service Service).

Details:
A service running as Local System launches an executable from a folder with
no security. %systemdrive%\Program Files\Common Files\AOL\ACS\ACSD.exe is
the executable for The AOL Connectivity Service, which runs as Local System.
Although Microsoft's default security on the %systemdrive%\Program
Files\Common Files directory only allows Users read access, the AOL install
configures it's subfolders with Everyone - Full Control. For anyone new to
computer security - Every process on a Windows NT/2K/XP machine runs with
the security access of the account that launched it. The Local System
account is used to run services in Windows that require the highest levels
of access because it can basically access everything. If a user were to
replace an executable launched by The Local System account with another that
was named the same they could have any command they want executed, including
one that added their account to the local administrators group on the PC.
My favorite is to rename a copy of explorer.exe and then after reboot use
the window that opens before log on to launch the Users and Groups MMC.

Patches:
AOL "supposedly" has pushed a patch down to all it's users but in my testing
I've yet to have it applied to me (though since I don't have AOL I can only
check sporadically). It is also available online at AOL's site, though good
luck finding it as it's url was in the press release I tossed and I've been
told by AOL they don't think it's important to actually mention this patch
anywhere on their site (even though millions of people who don't use AOL and
hence will never get autoupdated use computers that had AOL preinstalled
which makes them vulnerable). Also AOL didn't update their software
download so they are giving people software they know is dangerous.

Second Exploit:
Access other users AOL accounts using their stored AOL passwords

Requirements:
I think any version of AOL ever (only tested on version 9.0 security
edition)

Details:
If a user saves their AOL passwords and you are a local administrator on
their computer (or have made yourself one using the above mentioned method),
simply open Windows Registry Editor and expand the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList.
Click each subkey until you find the one where the value of ProfileImagePath
is the path to that users profile folder. Copy that path and go to the
subkey where ProfileImagePath is the path to your profile. Edit your
profile path to be the same as theirs and then log off and back on. Launch
AOL and their saved passwords will be saved for you too (WARNING: all your
settings will be changed to theirs - your desktop, EVERYTHING. To restore
just reverse the steps above).

Patches:
According to AOL, the ability to access other users saved passwords is by
design and is a feature they feel is important to their customer base. I
tried explaining that they advertise having all these parental controls and
that a kid could use these 2 steps to log onto his parents account,
temporarily disable his parental controls, do something that the parental
controls were supposed to be protecting him from, and then re-enable the
controls. Again AOL didn't seem to care even a little about their customers
well being or safety (I guess you really shouldn't believe anything you see
on TV).

For the record Kent, the AOL Product Vulnerability guy I worked with was
great. There was actually a time when I thought this release was going to
be a "love letter" to AOL because I was so impressed with how he was
handling the issue. Alas though AOL ended up dissapointing me in everything
that mattered.

Last note - Though AOL has a security response team, both their customer
service department and web site return blank pages when queried on how to
contact them. I have to thank Russ (and AOL REALLY ought to thank him), for
if he hadn't been able to put me in touch with them AOL would have had no
advance warning of this because two days of my best efforts couldn't even
get me someone who understood what I meant by a security response team.
Sorry for all the editorial, it is driven purely by rage and the belief that
I'm right.
Best regards,

Nick Staff
-Either I want to be a better person than I am
or I am a better person than I want to be.

--
NTBugtraq Editor's Note:

Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.
--

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]