Trend Micro OfficeScan ObjRemoveCtrl ActiveX Control Buffer Overflow Vulnerability

2008.07.29
Credit: Elazar Broad
Risk: High
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Who: Trend Micro http://www.trendmicro.com What: OfficeScan 7.3 build 1343(Patch 4) and older http://www.trendmicro.com/download/product.asp?productid=5 How: OfficeScan's Web Console utilizes several ActiveX controls when deploying the product through the web interface. One of these controls, objRemoveCtrl, is vulnerable to a stack-based buffer overflow when embedded in a webpage. The one caveat to this issue is that the control must be embedded in such a way that it CAN be visible, i.e. obj = new ActiveXObject() will not work. The issue lies in the code that is used to display certain properties and their values on the control when it is embedded in a page. OfficeScanRemoveCtrl.dll, version 7.3.0.1020 {5EFE8CB1-D095-11D1-88FC-0080C859833B} Commonly located: systemdriveWindowsDownloaded Program Files CAB location on server: officescan install pathOfficeScanPCCSRVWeb_consoleClientInstallRemoveCtrl.cab The following properties are vulnerable: HttpBased LatestPatternServer LatestPatternURL LocalServerPort MasterDirectory MoreFiles PatternFilename ProxyLogin ProxyPassword ProxyPort ProxyServer RegistryINIFilename Server ServerIniFile ServerPort ServerSubDir ServiceDisplayName ServiceFilename ServiceName ShellExtensionFilename ShortcutFileList ShortcutNameList UninstallPassword UnloadPassword UseProxy Workaround: Set the killbit for the affected control. See http://support.microsoft.com/KB/240797 Fix: As stated below, reportedly there are patches for this issue, however, I have been able to exploit this issue in a test environment running OfficeScan 7.3 patch 4(latest available patch). Timeline: 06/27/2008 -> Vulnerability discovered and reported to iDefense 07/02/2008 <- Request for further information 07/16/2008 <- iDefense states that patches exist which resolve this issue 07/16/2008 -> Request clarification regarding which patches resolve this issue. No response 07/20/2008 -> Follow up regarding patches. No response 07/28/2008 - Disclosure -----BEGIN PGP SIGNATURE----- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQECAAYFAkiN/hsACgkQi04xwClgpZiTrQP+M9MX2MgvLk+HaMgmYghBRQaTG89M bb0RywlP2UY6/P9qIk0W3AfI1UsVZUPcTduvo+/BKIR7s5M/m+VTa74lEMH5FHQ17QZ6 tAAKI/TYGl7YWG/+4Zj7n8hpjIhT7AahtjbASTwUxSv3pFet/9DMM9nrCXolR0+bsajy nJzOnmg= =kQK+ -----END PGP SIGNATURE-----

References:

http://seclists.org/fulldisclosure/2008/Jul/0510.html


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top