BitDefender Online Scanner 8 Double Decode Heap Overflow Release Date: November 20, 2007 Date Reported: October 24, 2007 Severity: High (Remote Code Execution) Vendor: BitDefender / SOFTWIN - http://www.bitdefender.com Systems Affected: BitDefender Online Scan Users Overview: eEye Digital Security has discovered a critical remote code execution condition within OScan8.ocx and Oscan81.ocx included by default in BitDefender Online Anti-Virus Scanner 8.0 released on May 24th 2006. OScan.ocx is the main ActiveX component for BitDefender's Anti-Virus Scanner and is initialized by Internet Explorer or any other ActiveX compatible products. After this file is initialized, it generates the GUI for the scanner and manages all User-issued commands. Oscan.ocx has also an internal website verification system to prevent the ActiveX control from being initialized outside of an authorized domain. Unfortunately due to a lack of data-sanitization, OScan.ocx can be forced to be initialized in an unsafe domain and it can be manipulated to corrupt arbitrary memory locations with user supplied values. This could allow a memory corruption scenario that would lead to arbitrary code execution or denial of service conditions. Technical Description: A remote vulnerability lies within a malformed request sent to BitDefender's Online Anti-Virus Scanner ActiveX Controller, OScan.ocx. OScan.ocx's vulnerable function, InitX, is the only function that accepts user-supplied data and is required to initialize the control for its use. The function InitX takes a string argument value of bstrLocation and is used to verify the calling domain. The IDL for InitX resembles the following: Function InitX { ByVal bstrLocation as String } As Boolean This feature is used to safeguard the ActiveX control and prevent it from being initialized outside of authorized domains. Users may submit requests to host this control on their site and they are given an initialization key. Referencing the BitDefender website you can see that their domain is being processed with the following hex-value key: AvxUI.InitX('000000408E45E3394593BF66F0C93C6CF90AF0F0AB417E17657D7F328A2 312ACBE0B139EF3EBFB69939B1C3B24D8BC392D752B8408EAACCD809B94D38B8F9B5E97B 1C1A6') After this domain key is processed and verified the control would initialize and accept user commands and begin scanning files. However a double-decoding vulnerability is present when processing Unicode values passed to the vulnerable function as a domain key. This vulnerability is triggered prior to the domain validation by prepending two "%" (0x25) characters to domain key value. This causes OScan.ocx to double-encode the parameter from Unicode and allocate arbitrary memory. By combining this method with an overly long string, a heap-based memory corruption scenario will result. This heap-overflow allows arbitrary values from the user-supplied malformed string to overwrite memory within Internet Explorer or the host ActiveX process. Although the attacker does not control the location of where the memory overwrite occurs, the vulnerability has a tendency to overwrite pointers that are later called by Internet Explorer or the host ActiveX process and thus arbitrary code execution is possible. Protection: Blink - Unified Client Security has proactively protected from these vulnerabilities since their discovery. Retina - Network Security Scanner has been updated to identify these vulnerabilities. Vendor Status: BitDefender has released an update mitigating this vulnerability in the form of Oscan82.ocx. Users can download the updated Online BitDefender Scanner Here: http://www.bitdefender.com/scan8/ie.html Although the vulnerable ActiveX controls will still remain on a workstation after revisiting the site, they are no longer referenceable. Credit: Greg Linares Greetings: Das DiREctor, The PuppetMaster, Trouble #1 and Trouble #2, Mikhail T. Kalashnikov, W. Gibson, M. Shirow, All of Section 9, The C in PoC, the Wireless Ninja Maiffret, 75 foot ethernet cords, the peeps at InfinityWard, IO Interactive and Bioware for awesome games, and to Juno Reactor and Jesper Kyd for awesome tunes. Related Links: Preview - Advanced Security Intelligence - http://www.eeye.com/preview Retina - Network Security Scanner - Free Trial: http://www.eeye.com/html/products/retina/download/index.html Blink - Unified Client Security Personal - Free For Home Use: http://www.eeye.com/html/products/blink/personal/download/index.html Blink - Unified Client Security Professional - Free Trial: http://www.eeye.com/html/products/blink/download/index.html Copyright (c) 1998-2007 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert (at) eEye (dot) com [email concealed] for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.EEYE