NSOADV-2010-008: AnNoText Third-Party ActiveX Control Buffer Overflow

2010-06-23T00:00:00
ID SECURITYVULNS:DOC:24117
Type securityvulns
Reporter Securityvulns
Modified 2010-06-23T00:00:00

Description


-------------------------- NSOADV-2010-008 ---------------------------

    AnNoText Third-Party ActiveX Control Buffer Overflow


                           111101111
                    11111 00110 00110001111
               111111 01 01 1 11111011111111
            11111  0 11 01 0 11 1 1  111011001
         11111111101 1 11 0110111  1    1111101111
       1001  0 1 10 11 0 10 11 1111111  1 111 111001
     111111111 0 10 1111 0 11 11 111111111 1 1101 10
    00111 0 0 11 00 0 1110 1 1011111111111 1111111 11  100
   10111111 0 01 0  1 1 111110 11 1111111111111  11110000011
   0111111110 0110 1110 1 0 11101111111111111011 11100  00
   01111 0 10 1110 1 011111 1 111111111111111111111101 01
   01110 0 10 111110 110 0 11101111111111111111101111101
  111111 11 0 1111 0 1 1 1 1 111111111111111111111101 111
  111110110 10 0111110 1 0 0 1111111111111111111111111 110
111 11111 1  1 111 1   10011 101111111111011111111 0   1100

111 10 110 101011110010 11111111111111111111111 11 0011100 11 10 001100 0001 111111111111111111 10 11 11110 11110 00100 00001 10 1 1111 101010001 11111111 11101 0 1011 10000 00100 11100 00001101 0 0110 111011011 0110 10001 101 11110 1011 1 10 101 000001 01 00 1010 1 11001 1 1 101 10 110101011 0 101 11110 110000011 111



Title: AnNoText Third-Party ActiveX Control Buffer Overflow Severity: Critical Advisory ID: NSOADV-2010-008 Found Date: 18.03.2010 Date Reported: 25.03.2010 Release Date: 11.06.2010 Author: Nikolas Sotiriu Mail: nso-research at sotiriu.de Website: http://sotiriu.de/ Twitter: http://twitter.com/nsoresearch Advisory-URL: http://sotiriu.de/adv/NSOADV-2010-008.txt Vendor: AnNoText (http://www.annotext.de/) Affected Products: ADVOAkte 17 Build 4.8.0.116 Patchlevel 034 Affected Component: KEYHELPLib ActiveX Control V.1.1.2200.0 Remote Exploitable: Yes Local Exploitable: No Patch Status: unknown (No response from vendor) Discovered by: Nikolas Sotiriu Disclosure Policy: http://sotiriu.de/policy.html Thanks to: Thierry Zoller: For the permission to use his Policy

Background:

AnNoText is a German Company, which makes Software for lawyers.

Description:

During the installation of the ADVOAkte an ActiveX Control will be installed (keyhelp.ocx), in which multiple functions are vulnerable to a buffer oveflow bugs, which could lead to a remote code execution.

Registered Classes: +------------------

Name: KeyPopup Class Vendor: KeyWorks Software Type: ActiveX-Control Version: 1.1.2200.0 GUID: {1E57C6C4-B069-11D3-8D43-00104B138C8C} File: keyhelp.ocx Folder: C:\WINDOWS\system32\ Safe for Script: True Safe for Init: False

Name: KeyScript Class Vendor: KeyWorks Software Type: ActiveX-Control Version: 1.1.2200.0 GUID: {45E66957-2932-432A-A156-31503DF0A681} File: keyhelp.ocx Folder: C:\WINDOWS\system32\ Safe for Script: True Safe for Init: False

Name: KeyHelp Embedded Window Vendor: KeyWorks Software Type: ActiveX-Control Version: 1.1.2200.0 GUID: {B7ECFD41-BE62-11D2-B9A8-00104B138C8C} File: keyhelp.ocx Folder: C:\WINDOWS\system32\ Safe for Script: True Safe for Init: True

Proof of Concept :

http://sotiriu.de/software/NSOPOC-2010-008.zip

(coming soon)

Solution:

Disable the vulnerable ActiveX Control by setting the kill bit for the following CLSID:

{1E57C6C4-B069-11D3-8D43-00104B138C8C} {45E66957-2932-432A-A156-31503DF0A681} {B7ECFD41-BE62-11D2-B9A8-00104B138C8C}

Save the following text as a .REG file and imported to set the kill bit for this controls:

+-------------------------------------- Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{1E57C6C4-B069-11D3-8D43-00104B138C8C}] "Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{45E66957-2932-432A-A156-31503DF0A681}] "Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{B7ECFD41-BE62-11D2-B9A8-00104B138C8C}] "Compatibility Flags"=dword:00000400 +--------------------------------------

More information about how to set the kill bit is available in Microsoft Support Document 240797 (http://support.microsoft.com/kb/240797).

Disclosure Timeline (YYYY/MM/DD):

2010.03.18: Vulnerability found. 2010.03.25: Initial contact by support email address. 2010.03.29: Second contact by support, info and vertrieb (sales) email address. Sent the Notification and Disclosure Policy and the release date (2010.04.08). 2010.03.29: Initial Vendor response. 2010.03.30: Sent PoC, Advisory, Disclosure policy and planned disclosure date (2010.04.08) to Vendor 2010.04.08: Ask for a status update, because the planned release date is 2010.04.08. [-] No Response 2010.04.12: Set Release Date to 2010.04.15. 2010.04.08: Ask for a status update, because the planned release date is 2010.04.15. [-] No Response 2010.04.15: Set Release Date to 2010.04.22. 2010.04.16: Vendor informed me that the vulnerability is a third party issue and AnNoText contacted them. 2010.05.20: Asked if AnNoText already got a fixed version of the third party component. [-] No Response 2010.06.08: Informed AnNoText that the final release date is now the 2010.06.10 [-] No Response 2010.06.11: Release of this Advisory on my website 2010.06.19: Release of this Advisory on full-disc and Bugtraq