| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <SNT115-W64EE7CF43A35D8E5CF5187A04D0@phx.gbl>
Date: Fri, 12 Feb 2010 10:49:40 -0400
From: Rosa Maria Gonzalez Pereira <analuis13@...mail.com>
To: <paul.craig@...urity-assessment.com>, <full-disclosure@...ts.grok.org.uk>
Subject: Re: ChemViewX ActiveX Control Mutliple Stack
Overflows
Porque hablan tanto de vulnerabilidad y no entiendo como es que su informacion llega tan fácil a mi buzon de correo
___________________________________________
> From: paul.craig@...urity-assessment.com
> To: full-disclosure@...ts.grok.org.uk
> Date: Fri, 12 Feb 2010 13:25:51 +1300
> Subject: [Full-disclosure] ChemViewX ActiveX Control Mutliple Stack Overflows
>
>
> ( , ) (,
> . `.' ) ('. ',
> ). , ('. ( ) (
> (_,) .`), ) _ _,
> / _____/ / _ \ ____ ____ _____
> \____ \==/ /_\ \ _/ ___\/ _ \ / \
> / \/ | \\ \__( <_> ) Y Y \
> /______ /\___|__ / \___ >____/|__|_| /
> \/ \/.-. \/ \/:wq
> (x.0)
> '=.|w|.='
> _='`"``=.
>
> presents..
>
> ChemviewX ActiveX Control Multiple Stack Overflows
> Versions affected: v1.9.5
>
> +-----------+
> |Description|
> +-----------+
>
> Hyleos ChemviewX is a free ActiveX control used to visualize chemical
> structures made from MDL or MOL files. The control is commonly used by
> university students, organic and inorganic chemists, and chemical engineers.
>
> The ClassID of the object is {C372350A-1D5A-44DC-A759-767FC553D96C} and
> the control is marked safe for scripting.
> Two stack overflows were discovered in the ActiveX control, both
> overflow conditions can be used to gain command execution.
>
> +------------+
> |Exploitation|
> +------------+
>
> Both stack overflow conditions relate to a fixed length buffer being used to
> remove excessive whitespace characters from supplied file paths.
>
> The methods SaveasMolFile and ReadMolFile are both vulnerable to
> a stack overflow condition which can be reached when supplying
> more than 400 white-space characters in the filename argument.
>
> Both tab and space characters can be used to trigger the overflow condition.
> The 401-404th byte will result in the overflow of the call stack return address.
> Both vulnerabilities can be used to gain command execution when combined
> with a JavaScript heap spray when jumping into a pre-allocated heap.
>
> +--------+
> |Solution|
> +--------+
>
> The vendor was contacted multiple times over a two month period without any response.
> Use of this control is not suggested as it appears to be unmaintained.
> If you use this ActiveX control consider setting the kill bit for the control’s
> Classid ({C372350A-1D5A-44DCA759-767FC553D96C}), or uninstalling the control.
>
> +------+
> |Credit|
> +------+
>
> Discovered and advised to Hyleos in December 2009 by Paul Craig - Security-Assessment.com
> This advisory is also available from our website:
> http://www.security-assessment.com/files/advisories/2010-02-11_ChemviewX_Activex.pdf
>
> Security-Assessment.com is a New Zealand based world leader in web application testing, network security
> and penetration testing. Security-Assessment.com works with organisations across New Zealand, Australia,
> Asia Pacific, the United States and the United Kingdom.
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_________________________________________________________________
Explore the seven wonders of the world
http://search.msn.com/results.aspx?q=7+wonders+world&mkt=en-US&form=QBRE
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists