Send e-mail to ACROS SecurityACROS Security's public PGP key  
Home . Services . References . Advisories . Research . News . Company . Blog
     
Binary Planting Home > Online Binary Planting Exposure Tests > Test #1

Online Binary Planting Exposure Test #1
NOTE: The vulnerability used in this test has already been fixed by the vendor. Only use this test for verifying the fix on your computer. Otherwise please use tests with UNFIXED vulnerabilities.


Operating Systems
  • Windows XP (32 and 64 bit)
  • Windows Vista (32 and 64 bit)
  • Windows 7 (32 and 64 bit)

Vulnerable Products
Test Procedure

  1. On a Windows computer, open Windows Explorer (e.g., by double-clicking "My Computer" on Windows XP or "Computer" on Windows Vista or Windows 7).

  2. Copy the following location to Windows Explorer's Address field, press Enter and wait up to 30 seconds. Make sure to choose the location matching your operating system type (32-bit or 64-bit). If you're not sure about your system type, just try both.

    32-bit Windows: \\www.binaryplanting.com\demo\windows_address_book
    64-bit Windows: \\www.binaryplanting.com\demo\windows_address_book_64

  3. At this point, one of the following is likely to happen:
    1. Windows Explorer displays the content of the remote folder as shown below.



    2. Or, some error message pops up describing that the remote folder could not be found or displayed.
    3. Or, nothing happens.

  4. In case Windows Explorer hasn't shown the content of the remote folder, and you either got an error message or no response at all, first try again a few times, then try with a freshly opened Windows Explorer, then log off and log on again, and finally restart your computer and retry. If all these attempts fail to display the content of the remote folder, the test is over and you can skip to the results

  5. If, however, Windows Explorer has displayed the content of the remote folder, double-click on file acros.wab. If this results in a "HACKED" dialog popping up like the one shown below, you are currently exposed to binary planting attacks originating from the Internet (see the results).



    If, on the other hand, double-clicking on the file doesn't launch a "HACKED" dialog - even if it launches Windows Address Book, Microsoft Windows Contacts, Outlook or some other application -, first retry a couple of times, then try a few times by double-clicking the other two data files, acros.vcf and acros.contact. If all these fail to produce a "HACKED" dialog, the test is over and you can continue to the results.


Test Results

As a result of the above test, one of the following has happened. Find your own result in the table below and read the diagnosis of your exposure.

Your result Diagnosis
Your Windows Explorer hasn't displayed the content of the remote shared folder. If all your attempts to see the content of our shared folder failed, the reason is likely one or more of the following:
  1. WebDAV communication between your computer and our server is being blocked either by your network or personal firewall. If this is the case, you are probably not exposed to binary planting attacks originating from the Internet. Note that you may still be exposed to binary planting attacks originating from your local network, and even from the Internet if you connect your computer to another network, such as to a wireless network on a business trip.
  2. Your Web Client service is not running. (This service is running by default on Windows Workstations, but not on Windows servers.) If this is the case, you are probably not exposed to binary planting attacks originating from the Internet. Note that you may still be exposed to binary planting attacks originating from your local network, and even from the Internet if you connect your computer to another network, such as to a wireless network on a business trip.
  3. Your Windows system is not up-to-date. For instance, Vista used to have functional problems with accessing certain WebDAV shares and our shares seem to be of such type. Make sure to update your system with the latest updates, then redo the test.
Your Windows Explorer has displayed the content of the remote shared folder, but double-clicking on any of the files hasn't launched the "HACKED" dialog box. If opening files from our server failed to launch the "HACKED" dialog, the reason is likely one of the following:
  1. You have Microsoft's fix for the targeted vulnerability installed (see Microsoft's security bulletin). In this case, your exposure to binary planting attacks is unknown, although one of the many vulnerabilities has apparently been eliminated. You can try some other tests that we provide.
  2. The provided files' extensions (.wab, .vcf and .contact) are associated with some other application than Windows Address Book / Microsoft Windows Contacts. (For instance, if you have Outlook installed, acros.vcf will be opened by it.) In this case, your exposure to binary planting attacks is unknown, as the test failed to address the vulnerable application(s). While the particluar vulnerabilities used for this test seem to be "unreachable" for a remote attacker, nothing can be determined about your general exposure to binary planting attacks. You can do two things: (1) try some other tests that we provide, or (2) retry the same test on another computer in your network which possibly has the original applications associated with our data files.
  3. Your network or personal firewall, while allowing browsing remote WebDAV shares, blocks the downloading of potentially dangerous binaries. If this is the case, you are probably not exposed to binary planting attacks originating from the Internet. Note that you may still be exposed to binary planting attacks originating from your local network, and even from the Internet if you connect your computer to another network, such as to a wireless network on a business trip.
  4. You have Microsoft's CWDIllegalInDllSearch hotfix installed and configured so as not to allow loading DLLs from remote WebDAV shares. If this is the case, you are probably not exposed to binary planting attacks originating from the Internet or from local shared folders.
Your Windows Explorer has displayed the content of the remote shared folder, and double-clicking on the files has launched the "HACKED" dialog box at least once. You are currently exposed to binary planting attacks originating from the Internet through at least one existing vulnerability. A remote attacker can exploit either the vulnerability in Windows Address Book / Microsoft Windows Contacts used in this test, or any other similar vulnerability that may exist in applications installed on your computer. Furthermore, other computers in your network are also likely to be exposed as there seems to be no network-wide countermeasure in place.


For additional information, go to ACROS Security and ACROS Security Blog.

Please kindly direct any feedback regarding this test to security@acrossecurity.com.

Copyright & Disclaimer ©1999-2015 ACROS, d.o.o. All Rights Reserved.