[<prev] [next>] [day] [month] [year] [list]
Message-ID: <c9f64a160703262129n56416530l4664b45e0b78574e@mail.gmail.com>
Date: Tue, 27 Mar 2007 12:29:56 +0800
From: "Alex Park" <saintlinu@...il.com>
To: "Secunia Research" <vuln@...unia.com>, full-disclosure@...ts.grok.org.uk,
bugtraq@...urityfocus.com
Subject: SignKorea's ActiveX Buffer Overflow Vulnerability
Title: SignKorea's ActiveX Buffer Overflow Vulnerability
Version: SKCommAX ActiveX Control Module 7,2,0,2
SKCommAX ActiveX Control Module(3280) 6,6,0,1
Discoverer: PARK, GYU TAE (saintlinu@...l2root.org)
Advisory No.: NRVA07-01
Critical: High critical
Impact: Gain remote user's privilege
Where: From remote
Operating System: Windows Only
Test Client System: Windows XP Service Pack 2 in KOREAN (Patched)
Windows XP Service Pack 2 in ENGLISH (Patched)
Solution Vendor: SignKorea, KOSCOM
Solution: Patched
Duration of patch: 6 Day(s) - don't ask me about this I don't know exactly
Notice: 17. 03. 2007 Initiate notified KISA(Korea Information Security
Agency)
21. 03. 2007 Vendor response and confirmed vulnerability
23. 03. 2007 Patched by vendor
26. 03. 2007 Public disclosure
Description:
The SKCommAX's ActiveX is common certification solution on the net
If citizen want to use Internet banking, Stock and so on like Online
banking services in Korea
then must be use PKI certification program like this ActiveX.
The SKCommAX's activex has one remote vulnerability (maybe)
If uses HTML file which was crafted by this vulnerability then you'll get
somebody's remote privilege.
See following detail describe:
SKCommAX's activex has DownloadCertificateExt() function. this function
requests two arguments(pszUserID and CertType).
This function didn't check pszUserID argument whether it's correct or not.
It's a pretty simple buffer overflow even Windows Environment.
EXPLOIT NOT INCLUDED HERE
You don't need exploit written by me bcoz you already known that
Greet: Null@...t Group, BugTruck Mailling and Information Security Team in
NCSoft.
--
Make Our Internet Secure With H4ck3rz
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists