|------------------------------------------------------------------| | __ __ | | _________ ________ / /___ _____ / /____ ____ _____ ___ | | / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ | | / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / | | \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ | | | | http://www.corelan.be:8800 | | security@corelan.be | | | |-------------------------------------------------[ EIP Hunters ]--| | | | Vulnerability Disclosure Report | | | |------------------------------------------------------------------| Advisory : CORELAN-10-012 Disclosure date : 15/3/2010 0x00 : Vulnerability information -------------------------------- [*] Product : Liquid XML Studio 2010 [*] Version : <= v8.061970 [*] Vendor : http://www.liquid-technologies.com/ [*] URL : http://www.liquid-technologies.com/Download.aspx [*] Platform : Windows XP (IE 6 & 7) [*] Type of vulnerability : Heap buffer overflow [*] Risk rating : High [*] Issue fixed in version : v8.10 [*] Vulnerability discovered by : mr_me [*] Corelan Team : http://www.corelan.be:8800/index.php/security/corelan-team-members/ 0x01 : Vendor description of software ------------------------------------- Liquid XML Studio 2010 is an advanced XML developers toolkit and IDE, containing all the tools needed for designing and developing XML Schema and applications. In use by thousands of users around the globe and forming a key foundation in the XML activities of hundreds of Fortune 100 and FTSE 100 companies, Liquid XML Studio is an essential item in any XML developer's toolkit. 0x02 : Vulnerability details ---------------------------- By loading the activeX control (GUID: E68E401C-7DB0-4F3A-88E1-159882468A79) OpenFile() in the module LtXmlComHelp8.dll an attacker can pass an overly long string value and overwrite SEH, thus, hijacking the flow of execution. 0x03 : Vendor communication --------------------------- [*] 6th Feb, 2010 : Vendor contacted regarding vulnerability [*] 7th Feb, 2010 : Vendor responded stating they have identified the vulnerability and will fix in v8.10. [*] 14th Feb, 2010 : Vendor fixed the issue in v8.10. [*] 15th Feb, 2010 : Public Disclosure. 0x04 : Exploit/PoC ------------------ Note : you are not allowed to edit/modify this code. If you do, Corelan cannot be held responsible for any damages this may cause.
Liquid XML Studio 2010 v8.061970 - (LtXmlComHelp8.dll) OpenFile() Remote 0day Heap Overflow Exploit