WibuKey Runtime WkWin32.dll module DisplayMessageDialog overflow

2012-12-27T00:00:00
ID SAINT:26EB5F681820DAE2FA234F8FC1707E33
Type saint
Reporter SAINT Corporation
Modified 2012-12-27T00:00:00

Description

Added: 12/27/2012
BID: 56678
OSVDB: 87881

Background

WibuKey is a software protection and licensing solution.

Problem

A vulnerability in the WkWin32.dll ActiveX control in WibuKey Runtime allows command execution when a web page calls the **DisplayMessageDialog** method with a long, specially crafted parameter.

Resolution

Upgrade to WibuKey 6.10 or higher.

References

<http://secunia.com/advisories/49987/>

Limitations

Exploit works on WibuKey Runtime 6.00f on Windows XP SP3 English (DEP OptIn) and requires a user to open the exploit page in Internet Explorer 7.

Platforms

Windows