lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 9 May 2007 17:43:10 +0200
From: "Michal Bucko (hackpl)" <sapheal@...k.pl>
To: <bugtraq@...urityfocus.com>
Subject:  Multiple vulnerabilities

###################################################################


 Multiple vulnerabilities


 Michal Bucko (sapheal)
 HACKPL Security Labs


####################################################################






 The document below was mainly written to support MoAxB, however,
 some of the vulnerabilities are in no way connected with ActiveX.
 The document covers five vulnerabilities, three of them concern ActiveX
 controls.







 The list:
 [1]  Ipswitch WhatsUp v11 MIBEXTRA.EXE Memory Corruption Conditions
 [2] Firebird 2.1 Multiple Memory Corruption Conditions
 [3]  Audio CD Ripper OCX Init Function Denial of Service Vulnerability
 [4]  FlexLabel ActiveX Control Denial of Service
 [5] Brujula Toolbar BRUJULA4.NET.DLL Denial of Service




 [1] Ipswitch WhatsUp v11 MIBEXTRA.EXE Memory Corruption Conditions
 ##################################################################



 I.  BACKGROUND


 WhatsUp Gold v11 - award winning network monitoring software - delivers
  on its two promises of blending network monitoring and comprehensive
 windows-based application with ease of use, allowing IT managers to turn
   network data into actionable business information like trending analysis
 and IT resource planning guidance.


 II. DESCRIPTION

 MIBEXTRA.EXE is one of the WhatsUp's components. It extract WUG data from
 MIB files. The component itself is prone to buffer overflow. An overly
 long argument passed as a filename would result in application crashing.
 Arbitrary code execution is possible. The debugger's output is depicted
 below:

 EAX 00000000
 ECX 41414141
 ..
 EIP 41414141







 [2] Firebird 2.1 Multiple Memory Corruption Conditions
 ######################################################



 I.  BACKGROUND


 Firebird is a RDBMS offering many ANSI SQL features that runs on Linux,
 Windows and several Unix platforms. Features excellent concurrency, high
 performance and a powerful language for stored procedures and triggers.



 II. DESCRIPTION

 I haven't gone through the code thoroughly as I bumped into various typical
 buffer overrun vulnerabilities. I got off to a flying start when I took a
 look at config\ConfigFile.cpp - a typical buffer overflow vulnerability,
 no bounds checking. Going through with (quite a) fine tooth, I found the
 similar (more complex than the one found before?) in msgs\check_msgs.epp.






 [3] Audio CD Ripper OCX Init Function Denial of Service Vulnerability
 #####################################################################



 I.  BACKGROUND


 Audio CD Ripper OCX 1.0 is an ActiveX control for developers. This control
 can rip CDA tracks from audio CD to MP3, WMA, WAV, OGG and APE. This 
ActiveX
  can also deal with the ID3 tags (for destination files), runs on a low 
level
 mode (based on ASPI), supports many CDs drives, can get general information
 about the CD drives, the Audio CD and the CDA Tracks on it. Supports many
 events, error handling, runs fast and easy to the use.



 II. DESCRIPTION

 Function Init() in AudioCDRipperOCX.ocx improperly used results in denial
 of service due to null dereference. The vulnerability doesn't allow remote
 arbitrary code execution.





 [4] FlexLabel ActiveX Control Denial of Service
 #####################################################################



 I.  BACKGROUND

 FlexLabel is an enhanced label control...way enhanced! You have complete 
control
 over everything including font, alignment, mouse-over effect, and angle of 
text,
 plus the best functionality is that it will automatically create a 
hyperlink based
  off of simple property settings. You can control whether a mouse click 
will link
 to email, a website, an FTP site, or user customizable link.




 II. DESCRIPTION

 FlexLabel ActiveX control fails to work properly when badly initialized. 
The
 vulnerability does not allow code execution. The simple demonstration would 
be:


 --//code snippet//--

 <object classid='clsid:584B432E-E0BD-4A78-BD77-665591DA84BB' id='target' />
 <script language='vbscript'>

  arg="A"

  target.Caption = arg

 </script>


 --//end of code snippet//--






 [5] Brujula Toolbar BRUJULA4.NET.DLL Denial of Service
 #####################################################################

 I.  BACKGROUND
 Brujula.net toolbar is one of toolbars available


 II. DESCRIPTION

 Access violation due to null dereference leads to denial of service 
conditions.
 Function GetPropertyById(char*, char*) in SoftomateLib (ISoftomateObj),in
 BRUJULA4.NET.DLL, improperly handle the given arguments. Below, we can see
 debugger's output:


 100283B5   8B51 04          MOV EDX,DWORD PTR DS:[ECX+4]

 ECX = 000001A8
 DS:[000001AC]=???





 [!] DISCLAIMER

 This document and all the information it contains are provided "as  is",
 for  educational  purposes  only,  without warranty of any kind, whether
 express or implied.

 The authors reserve the right not to be responsible for the  topicality,
 correctness,  completeness  or  quality  of the information  provided in
 this document. Liability claims regarding damage caused by  the  use  of
 any  information  provided,  including  any kind of information which is
 incomplete or incorrect, will therefore be rejected.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ