TSRT-07-03: America Online SuperBuddy ActiveX Control Code Execution http://www.tippingpoint.com/security/advisories/TSRT-07-03.html March 30, 2007 -- CVE ID: CVE-2006-5820 -- Affected Vendor: America Online -- Affected Products: America Online 9.0 Security Edition -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since November 6, 2006 by Digital Vaccine protection filter ID 4553. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows attackers to execute arbitrary code on vulnerable installations of America Online with Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists in the LinkSBIcons() method exposed through the ActiveX control 'Sb.SuperBuddy.1' with the following CLSID: 189504B8-50D1-4AA8-B4D6-95C8F58A6414 The affected control implements the IObjectSafety interface and therefore allows a web site to invoke the control under default Internet Explorer settings without any further user interaction. The vulnerable method is defined as: int LinkSBIcons(IUnknown *interface) As the method accepts an unchecked user-controlled value specifying a pointer to an object, a subsequent function dereference is completely under attacker control. This can easily lead to arbitrary code execution under the context of the logged in user. It is important to note that many PCs ship with this vulnerable component by default, including Dell and Hewlett-Packard among others. Since AOL is addressing this issue as an update through their internet service, many users are left without any recourse for mitigation. Concerned users can specify a "kill bit" for the affected control to prevent it from loading within Internet Explorer. To do so, create the following registry key: HKEY_LOCAL_MACHINE SOFTWARE Microsoft Internet Explorer ActiveX Compatibility {189504B8-50D1-4AA8-B4D6-95C8F58A6414} With the value 'Compatibility Flags' set to 0x400. -- Vendor Response: America Online has issued an update to correct this vulnerability as of 3/29/2007. The update is automatically applied the next time users log into the AOL service. -- Disclosure Timeline: 2006.07.18 - Vulnerability reported to vendor 2006.11.06 - Digital Vaccine released to TippingPoint customers 2007.03.30 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Cody Pierce, Tipping Point Security Research Team.