lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <c1ffcacb0705220416u538c5df0s3560ceb6bf54d9aa@mail.gmail.com>
Date: Tue, 22 May 2007 20:16:54 +0900
From: BPS <l1nefeed@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: KSign KSignSWAT ActiveX Control Multiple Buffer
	Overflows Vulnerability

Title : KSign KSignSWAT ActiveX Control Multiple Buffer Overflows Vulnerability

Version : AxKSignSWAT.dll (KSignSWAT ActiveX Control) ver. 2.0.3.3

Discoverer : KIM, KEE HONG (l1nefeed@...il.com)

Critical : High Critical

Test system : Windows XP SP2 Korean (All patched)
            : Windows XP SP2 English (All patched)

Vendor : KSign (www.ksign.com)

Solution : patched.

Note : 2007/05/14 notified KISA (Korean Information Security Agency)
       2007/05/15 Confirmed Vulnerability
       2007/05/21 Patched by Vendor (maybe...)
       2007/05/22 Disclosure.

Description:

The KSign's KSignSWAT ActiveX is common certification solution if people use
Internet banking, Goverment Sites and Stock Trading.

The KsignSWAT ActiveX has multiple buffer overflow vulnerability.

if uses HTML file which was crafted by this vulnerability,
then you'll get system admin's privilege.

KSignSWAT ActiveX has 5 vulnerable function. -SWAT_Init(), SWAT_InitEx(),
SWAT_InitEX2(), SWAT_InitEx3(), SWAT_Login(). This functions requests several
arguments (over the 2 arguments) and this functions didn't check argument buffer
size.

It's a very simple buffer overflow even Windows Environment.

1. SWAT_Init()
has 5 arguments. 2nd argument didn't check buffer size, so we can overwrite EIP.
(over the 664 bytes)

2. SWAT_InitEx()
has 7 arguments. 2nd argument didn't check buffer size, so we can overwrite EIP.
(over 664 bytes)

3. SWAT_InitEx2()
has 8 arguments. 2nd argument didn't check buffer size, so we can overwrite EIP.
(over 664 bytes)

4. SWAT_InitEx3()
has 9 arguments. 2nd argument didn't check buffer size, so we can overwrite EIP.
(over 664 bytes)

5. SWAT_Login()
has 1 arguments. Argument didn't check buffer size, so we can overwrite EIP.
(over 671 bytes)




POC CODE COMING SOON


Greet : BugTruck Group, PowerHacker Team (Thx, AmesianX)


-- 
B.P.S

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ