HP Application Lifecycle Management XGO.ocx ActiveX SetShapeNodeType Method Vulnerability

2012-09-13T00:00:00
ID SAINT:6C8F1A4BC4776D8950AF276A7F0BD94E
Type saint
Reporter SAINT Corporation
Modified 2012-09-13T00:00:00

Description

Added: 09/13/2012
BID: 55272
OSVDB: 85152

Background

HP Application Lifecycle Management (ALM) is a software product designed to manage the application lifecycle from requirements through readiness for delivery from a single repository, providing a consistent user experience and customizable dashboard.

Problem

The XGO.ocx ActiveX control in HP Application Lifecycle Management exposes an insecure method, SetShapeNodeType, which is vulnerable to a type confusion error allowing user-specified memory to be used as an object. A remote attacker who persuades a user to visit a specially crafted web page could execute arbitrary code in the context of the process.

Resolution

Upgrade when HP provides one. In the interim, access to the HP Application Lifecycle Management service should be restricted to trusted machines.

References

<http://www.zerodayinitiative.com/advisories/ZDI-12-170/>

Limitations

This exploit has been tested against HP Lifecycle Management ActiveX 11.50.777.0 on Microsoft Windows XP SP3 English (DEP OptIn) and Microsoft Windows 7 SP1 (DEP OptIn).

The user must open the exploit page in Internet Explorer 8 or 9.

Platforms

Windows