lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20090402190009.F3D0111804D@smtp.hushmail.com>
Date: Thu, 02 Apr 2009 15:00:06 -0400
From: "Elazar Broad" <elazar@...hmail.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: Autodesk IDrop ActiveX Control Heap Corruption Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Who:
Autodesk
http://www.autodesk.com

What:
Autodesk IDrop ActiveX Control
http://usa.autodesk.com/adsk/servlet/index?siteID=123112&id=2753219&
linkID=9240618

IDrop.ocx
version 17.1.51.160
{21E0CB95-1198-4945-A3D2-4BF804295F78}

How:
The Src, Background, PackageXml properties can be manipulated to
trigger a heap use after free condition resulting in arbitrary
remote code execution. Other properties may be vulnerable as well.

Fix:
Remove or set the killbit for the affected control, see
http://support.microsoft.com/kb/240797.

Currently, there will be NO official patch for this issue.
Autodesk's statement is as follows:

"Thank you for taking the time and effort to identify a potential
issue with our technology. We do take each and every customer or
developer issue seriously and have spent time in reviewing your
analysis of our i-drop technology. At this time, we have ceased
investment in i-drop technology. It was released over five years
ago as a means for developers to leverage their content delivery;
we’ve made no new investment in this tool and have no current plans
to update it in the near future. We’ve recorded your issue in our
tracking database and will determine its priority if/when we
determine new investment is required for this technology.



Thank You – Autodesk"

Timeline:
06/17/2008 - Vendor notified
03/31/2009 - Vendor final response
04/02/2009 - this advisory

Credit:
Elazar Broad
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQECAAYFAknVCzkACgkQi04xwClgpZjlOAP/XPrEIbz0bxFCYPQRo+NoK+3DlfIP
/PmdSufN+ySHp1XrFmYwRbYaer09DHMqzos39h5g824qOiWAlSLWsWa8CXGz0MMoDnnl
f0mly7WKylghfbu7OeK2/K3FI867671NvVWtDVaGOWlGQtZyfbC93FH5lA8CxztHcTBW
9YlNtYQ=
=ocum
-----END PGP SIGNATURE-----

--
Top brands, low prices. Find the right air conditioner for you. Click Now!
 http://tagline.hushmail.com/fc/BLSrjkqbxEyvLt703epmRxAxFQPfXpFNLe6mM84JyH6LVRuZguTES9k38fm/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ