lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 22 Jun 2007 17:41:55 -0300
From: GOODFELLAS SRT <goodfellas@...llcode.com.ar>
To: undisclosed-recipients: ;
Subject: [GOODFELLAS - VULN] BarCodeAx.dll v. 4.9 ActiveX
	Control Remote	Stack Buffer Overflow

:. GOODFELLAS Security Research TEAM  .:
:. http://goodfellas.shellcode.com.ar .:

BarCodeAx.dll v. 4.9 ActiveX Control Remote Stack Buffer Overflow 
=================================================================
Internal ID: VULWAR200706223


Introduction
------------
BarCodeAx.dll is a library included in the Barcode ActiveX software 
package from the Company RKD:
(http://www.barcodetools.com/barcode/barcode-activex/barcode-activex.html)

Such package allows to manage the printing of different barcodes.

One of the BarcodeAx.dll exported methods is vulnerable to a stack
buffer overflow which can be remotely exploited.


tested in
---------
- Windows XP SP2 english/french with IE 6.0 / 7.0
- windows vista Professional SP1 with IE 7.0


Summary
-------
The BeginPrint method fail to correctly check the size of the arguments 
that receives, causing a stack buffer overflow.


Impact
------
Any application that uses the said ActiveX to control barcodes would be 
exposed to remote code execution.


Workaround
----------
- Activate the Kill bit zero in
CLSID:C26D9CA8-6747-11D5-AD4B-C01857C10000
- Unregister BarCodeAx.dll using regsvr32


Timeline
--------
June 21, 2007 -- Bug discovery
June 22, 2007 -- Bug published


Credits
-------
 * Brian Mariani <bmariani@...llcode.com.ar>
 * GoodFellas Security Research Team <goodfellas.shellcode.com.ar>


Technical Detail
----------------

Vulnerable method.

Sub BeginPrint (
 	ByVal name  As String 
)


We need 656 bytes to overflow the buffer and rewrite EBP + EIP.

- Reversing
7C97DF40	PUSH 0
7C97DF42	PUSH ESI
7C97DF43	CALL 7C97CDC9
7C97DF48	MOV EBX,[EBP+10]
7C97DF4B	LEA EDI,[EBX-8]
7C97DF4E	MOV [EBP-2C],EDI
7C97DF51	MOVZX EAX,WORD PTR [EDI]	  <--- CRASH
7C97DF54	SHL EAX,3
7C97DF57	MOV [EBP-30],EAX
7C97DF5A	PUSH 7C97E11C
7C97DF5F	PUSH EDI
7C97DF60	PUSH ESI
7C97DF61	CALL 7C97CC6D
7C97DF66	TEST AL,AL
7C97DF68	JE 7C97E0BF

- Registers
EIP 41414141
EAX C0040204
EBX 00407830 -> 003E977D
ECX 0013ECE8 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EDX 00150608 -> 7C98C500
EDI 00000000
ESI 001844CC -> 00180008
EBP 41414141
ESP 0013EBE8 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA


-- 
GOODFELLAS (Shellcode Security Research)
http://goodfellas.shellcode.com.ar


Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ