Toshiba ConfigFree CF7 File Remote Command Execution
/------------------------------------------------------------------------=
-----\
| Toshiba ConfigFree CF7 File Remote Command Execution |
\------------------------------------------------------------------------=
-----/
Summary
=3D=3D=3D=3D=3D=3D=3D
There is a command execution vulnerability in the Toshiba ConfigFree=20
CF7 file format used on Toshiba laptops to import and export network=20
configurations. An attacker could execute arbitrary commands with the=20
privileges of the current logged-in user by enticing a Toshiba laptop
user to download and execute a crafted CF7 file.=20
CVE number: CVE-2012-4981
Impact: High
Vendor homepage: http://www.toshiba.co.uk/
Vendor notified: 13/07/2012
Vendor response: Toshiba does not recognise this as a security =
vulnerability
Credit: Joseph Sheridan of ReactionIS (http://www.reactionis.co.uk)
This advisory is posted at:
http://www.reactionpenetrationtesting.co.uk/configfree-command-exe.html
Affected Products
=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D
Confirmed in latest Configfree version 8.0.38 on Windows 7 on a Toshiba=20
Satellite R850. Other versions may also be affected.
Details
=3D=3D=3D=3D=3D=3D=3D
The =E2=80=98runApp=E2=80=99 field of the cf7 file can be manipulated to =
run arbitrary=20
operating-system commands.
ConfigFree is the registered file handler for the cf7 filetype =
(CFProfile.exe=20
at HKEY_CLASSES_ROOT\cf7_auto_file\shell\open\command) so if a victim =
could=20
be convinced to download and apply a crafted cf7 file the commands in =
the runApp
field would be executed and could be used to take control of the =
machine.
Impact
=3D=3D=3D=3D=3D=3D
if a victim could be convinced to download and apply a crafted cf7 file=20
the commands in the runApp field would be executed and could be used to=20
take control of the machine.
Solution
=3D=3D=3D=3D=3D=3D=3D=3D
As no fix is available, concerned users could remove this utility from =
their=20
machine.
Distribution
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
In addition to posting on the website, a text version of this notice has =
been=20
posted to the following e-mail and Usenet news recipients.
* bugtraq () securityfocus com
* full-disclosure () lists grok org uk
Future updates of this advisory, if any, will be placed on the =
ReactionIS=20
corporate website, but may or may not be actively announced on mailing =
lists=20
or newsgroups. Users concerned about this problem are encouraged to =
check the=20
URL below for any updates:
http://www.reactionpenetrationtesting.co.uk/configfree-command-exe.html
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
Reaction Information Security=20
Lombard House Business Centre,
Suite 117,
12-17 Upper Bridge Street,
Canterbury, Kent, CT1 2NF
Phone: +44 (0)1227 785050
Email: research () reactionis {dot} co {dot} uk
Web: http://www.reactionpenetrationtesting.co.uk
Joseph Sheridan
Director
CHECK Team Leader, CREST Infrastructure, CREST Application, CISSP
Tel: 07812052515
Web: www.reactionis.co.uk=20
Email: joe@reactionis.co.uk
Reaction Information Security Limited.
Registered in England No: 6929383
Registered Office: 1, The Mews, 69 New Dover Road, Canterbury, CT1 3DZ
=20
This email and any files transmitted with it are confidential and are =
intended solely for the use of the individual to whom they are =
addressed. If you are not the intended recipient please notify the =
sender. Any unauthorised dissemination or copying of this email or its =
attachments and any use or disclosure of any information contained in =
them, is strictly prohibited.
=EF=81=90 Please consider the environment before printing this email