lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4C1CE769.3070902@sotiriu.de>
Date: Sat, 19 Jun 2010 17:51:05 +0200
From: NSO Research <nso-research@...iriu.de>
To: bugtraq@...urityfocus.com
Subject: NSOADV-2010-009: AnNoText Third-Party ActiveX Control file overwrite
 vulnerability

______________________________________________________________________
-------------------------- NSOADV-2010-009 ---------------------------

  AnNoText Third-Party ActiveX Control file overwrite vulnerability
______________________________________________________________________
______________________________________________________________________

                               111101111
                        11111 00110 00110001111
                   111111 01 01 1 11111011111111
                11111  0 11 01 0 11 1 1  111011001
             11111111101 1 11 0110111  1    1111101111
           1001  0 1 10 11 0 10 11 1111111  1 111 111001
         111111111 0 10 1111 0 11 11 111111111 1 1101 10
        00111 0 0 11 00 0 1110 1 1011111111111 1111111 11  100
       10111111 0 01 0  1 1 111110 11 1111111111111  11110000011
       0111111110 0110 1110 1 0 11101111111111111011 11100  00
       01111 0 10 1110 1 011111 1 111111111111111111111101 01
       01110 0 10 111110 110 0 11101111111111111111101111101
      111111 11 0 1111 0 1 1 1 1 111111111111111111111101 111
      111110110 10 0111110 1 0 0 1111111111111111111111111 110
    111 11111 1  1 111 1   10011 101111111111011111111 0   1100
   111 10  110 101011110010   11111111111111111111111 11 0011100
   11 10     001100     0001      111111111111111111 10 11 11110
  11110       00100      00001     10 1  1111  101010001 11111111
  11101        0  1011     10000    00100 11100        00001101 0
  0110         111011011             0110   10001        101 11110
  1011                 1             10 101   000001        01   00
   1010 1                              11001      1 1        101  10
      110101011                          0 101                 11110
            110000011
                      111
______________________________________________________________________
______________________________________________________________________

  Title:                  AnNoText Third-Party ActiveX Control file
                          overwrite vulnerability
  Severity:               Low
  Advisory ID:            NSOADV-2010-009
  Found Date:             18.03.2010
  Date Reported:          25.03.2010
  Release Date:           11.06.2010
  Author:                 Nikolas Sotiriu
  Mail:                   nso-research at sotiriu.de
  Website:                http://sotiriu.de/
  Twitter:                http://twitter.com/nsoresearch
  Advisory-URL:           http://sotiriu.de/adv/NSOADV-2010-009.txt
  Vendor:                 AnNoText (http://www.annotext.de/)
  Affected Products:      ADVOMahn Edition 21
  Affected Components     IDAutomation Linear BarCode V.1.6.0.6
                          IDautomation PDF417 Barcode V.1.6.0.6
  Remote Exploitable:     Yes
  Local Exploitable:      No
  Patch Status:           unknown (No response from vendor)
  Discovered by:          Nikolas Sotiriu
  Disclosure Policy:      http://sotiriu.de/policy.html
  Thanks to:              Thierry Zoller: For the permission to use his
                                          Policy



Background:
===========

AnNoText is a German Company, which makes Software for lawyers.



Description:
============

During the installation of the ADVOMahn two ActiveX Control will be
installed (IDAutomationLinear6.dll and IDAutomationPDF417_6.dll), in
which the functions "SaveBarCode" and "SaveEnhWMF" can lead to a file
overwrite bug.

Controls:
+--------

Name:             IDAutomation Linear BarCode 1.606
Vendor:           IDAutomation.com Inc.
Type:             ActiveX-Control
Version:          1.6.0.6
GUID:             {0C3874AA-AB39-4B5E-A768-45F3CE6C6819}
File:             IDAutomationLinear6.dll
Folder:           C:\WINDOWS\system32\
Safe for Script:  True
Safe for Init:    True


Name:             IDautomation PDF417 Barcode
Vendor:           IDAutomation.com Inc.
Type:             ActiveX-Control
Version:          1.6.0.6
GUID:             {E97EE6EB-7FBE-43B1-B6D8-C4D86C78C5A0}
File:             IDAutomationPDF417_6.dll
Folder:           C:\WINDOWS\system32\
Safe for Script:  True
Safe for Init:    True



Proof of Concept :
==================

http://sotiriu.de/software/NSOPOC-2010-009.zip

(coming soon)



Solution:
=========

Disable the vulnerable ActiveX Control by setting the kill bit for the
following CLSID:

{0C3874AA-AB39-4B5E-A768-45F3CE6C6819}
{E97EE6EB-7FBE-43B1-B6D8-C4D86C78C5A0}

Save the following text as a .REG file and imported to set the kill bit
for this controls:

+--------------------------------------
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{0C3874AA-AB39-4B5E-A768-45F3CE6C6819}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{E97EE6EB-7FBE-43B1-B6D8-C4D86C78C5A0}]
"Compatibility Flags"=dword:00000400

+--------------------------------------

More information about how to set the kill bit is available in Microsoft
Support Document 240797 (http://support.microsoft.com/kb/240797).



Disclosure Timeline (YYYY/MM/DD):
=================================

2010.03.18: Vulnerability found.
2010.03.25: Initial contact by support email address.
2010.03.29: Second contact by support, info and vertrieb (sales) email
            address. Sent the Notification and Disclosure Policy and
            the release date (2010.04.08).
2010.03.29: Initial Vendor response.
2010.03.30: Sent PoC, Advisory, Disclosure policy and planned disclosure
            date (2010.04.08) to Vendor
2010.04.08: Ask for a status update, because the planned release date is
            2010.04.08.
            [-] No Response
2010.04.12: Set Release Date to 2010.04.15.
2010.04.08: Ask for a status update, because the planned release date is
            2010.04.15.
            [-] No Response
2010.04.15: Set Release Date to 2010.04.22.
2010.04.16: Vendor informed me that the vulnerability is a third party
            issue and AnNoText contacted them.
2010.05.20: Asked if AnNoText already got a fixed version of the third
            party component.
            [-] No Response
2010.06.08: Informed AnNoText that the final release date is now the
            2010.06.10
            [-] No Response
2010.06.11: Release of this Advisory on my website
2010.06.19: Release of this Advisory on full-disc and Bugtraq




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ