Multiple vulnerabilities

2007.05.17
Credit: Michal Bucko
Risk: Medium
Local: Yes
Remote: Yes
CWE: N/A

################################################################### Multiple vulnerabilities Michal Bucko (sapheal) HACKPL Security Labs #################################################################### The document below was mainly written to support MoAxB, however, some of the vulnerabilities are in no way connected with ActiveX. The document covers five vulnerabilities, three of them concern ActiveX controls. The list: [1] Ipswitch WhatsUp v11 MIBEXTRA.EXE Memory Corruption Conditions [2] Firebird 2.1 Multiple Memory Corruption Conditions [3] Audio CD Ripper OCX Init Function Denial of Service Vulnerability [4] FlexLabel ActiveX Control Denial of Service [5] Brujula Toolbar BRUJULA4.NET.DLL Denial of Service [1] Ipswitch WhatsUp v11 MIBEXTRA.EXE Memory Corruption Conditions ################################################################## I. BACKGROUND WhatsUp Gold v11 - award winning network monitoring software - delivers on its two promises of blending network monitoring and comprehensive windows-based application with ease of use, allowing IT managers to turn network data into actionable business information like trending analysis and IT resource planning guidance. II. DESCRIPTION MIBEXTRA.EXE is one of the WhatsUp's components. It extract WUG data from MIB files. The component itself is prone to buffer overflow. An overly long argument passed as a filename would result in application crashing. Arbitrary code execution is possible. The debugger's output is depicted below: EAX 00000000 ECX 41414141 .. EIP 41414141 [2] Firebird 2.1 Multiple Memory Corruption Conditions ###################################################### I. BACKGROUND Firebird is a RDBMS offering many ANSI SQL features that runs on Linux, Windows and several Unix platforms. Features excellent concurrency, high performance and a powerful language for stored procedures and triggers. II. DESCRIPTION I haven't gone through the code thoroughly as I bumped into various typical buffer overrun vulnerabilities. I got off to a flying start when I took a look at config\ConfigFile.cpp - a typical buffer overflow vulnerability, no bounds checking. Going through with (quite a) fine tooth, I found the similar (more complex than the one found before?) in msgs\check_msgs.epp. [3] Audio CD Ripper OCX Init Function Denial of Service Vulnerability ##################################################################### I. BACKGROUND Audio CD Ripper OCX 1.0 is an ActiveX control for developers. This control can rip CDA tracks from audio CD to MP3, WMA, WAV, OGG and APE. This ActiveX can also deal with the ID3 tags (for destination files), runs on a low level mode (based on ASPI), supports many CDs drives, can get general information about the CD drives, the Audio CD and the CDA Tracks on it. Supports many events, error handling, runs fast and easy to the use. II. DESCRIPTION Function Init() in AudioCDRipperOCX.ocx improperly used results in denial of service due to null dereference. The vulnerability doesn't allow remote arbitrary code execution. [4] FlexLabel ActiveX Control Denial of Service ##################################################################### I. BACKGROUND FlexLabel is an enhanced label control...way enhanced! You have complete control over everything including font, alignment, mouse-over effect, and angle of text, plus the best functionality is that it will automatically create a hyperlink based off of simple property settings. You can control whether a mouse click will link to email, a website, an FTP site, or user customizable link. II. DESCRIPTION FlexLabel ActiveX control fails to work properly when badly initialized. The vulnerability does not allow code execution. The simple demonstration would be: --//code snippet//-- <object classid='clsid:584B432E-E0BD-4A78-BD77-665591DA84BB' id='target' /> <script language='vbscript'> arg="A" target.Caption = arg </script> --//end of code snippet//-- [5] Brujula Toolbar BRUJULA4.NET.DLL Denial of Service ##################################################################### I. BACKGROUND Brujula.net toolbar is one of toolbars available II. DESCRIPTION Access violation due to null dereference leads to denial of service conditions. Function GetPropertyById(char*, char*) in SoftomateLib (ISoftomateObj),in BRUJULA4.NET.DLL, improperly handle the given arguments. Below, we can see debugger's output: 100283B5 8B51 04 MOV EDX,DWORD PTR DS:[ECX+4] ECX = 000001A8 DS:[000001AC]=??? [!] DISCLAIMER This document and all the information it contains are provided "as is", for educational purposes only, without warranty of any kind, whether express or implied. The authors reserve the right not to be responsible for the topicality, correctness, completeness or quality of the information provided in this document. Liability claims regarding damage caused by the use of any information provided, including any kind of information which is incomplete or incorrect, will therefore be rejected.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top