<<< Date Index >>>     <<< Thread Index >>>

[Eleytt] 7LIPIEC2007



Eleytt Research 
www.eleytt.com






Overview/Credit: 
====================

Michal Bucko
 
www.eleytt.com/michal.bucko
 
sapheal.hack.pl





Vulnerability Table
===================

1. Firefox 2.0.0.4 Remote Denial of Service Vulnerability

2. Microsoft Register Server Remote Denial of Service Issue

3. FreeWRL 1.19.3 doBrowserAction() Memory Corruption Conditions

4. Nonnoi ASP Barcode Arbitrary File Overwrite Vulnerablity

5. Eltima Software VSPAX Remote Denial of Service Vulnerability

6. Media Player Classic 6.4.9.0 Malformed .FLV Memory Corruption Conditions

7. Eltima Software RunService AX Multiple Denial of Service Vulnerabilities

8. Symantec Norton Ghost 12.0 FileBackup.DLL Remote Denial of Service

9. Symantec Norton Ghost 12.0 Remote Arbitrary Code Execution

10. ActiveReportsExcelReport EXCLEXPT.DLL Library Denial of Service 
    
Vulnerability

11. NMSDVDXLib Library Multiple Denial of Service Vulnerabilities

12. InnovaDSXP2.OCX ActiveX Control Multiple Vulnerabilities









Vulnerability Details
=========================
=========================




1. Firefox 2.0.0.4 Remote Denial of Service Vulnerability 
   
======================================================

Firefox 2.0.0.4 is prone to denial of service vulnerability. The 
vulnerability
PoC is available at: 
        
        
http://sapheal.hack.pl/phun/ff2die/

The latest version of Opera nicely handles the issue. The latest version of 
Internet Explorer takes advantage of its Pop-up blocker, and is not 
vulnerable.
This is in no way a critical issue - when an amount of tabs opened within 
the 
popup window is high, FF fails to react properly and crashes.



The PoC provided consists of three files: cool.htm, hack.html, index.html. 
The
vulnerability can be trigger in a different way.




2. Microsoft Register Server Remote Denial of Service Issue
   
================================================================



The PoC is available on request. Denial of service conditions due to null
dereference, code execution is not possible. This probably should not be 
called a vulnerability as this issue has probably no security-related
impact.

For more information, please use:

www.eleytt.com






3. FreeWRL 1.19.3 doBrowserAction() Function Memory Corruption Conditions
   
======================================================================

Introduction:

FreeWRL is an open-source VRML and X3D browser written primarily for the
Linux (Unix) and OS X platforms. FreeWRL runs on both 32 and 64 bit Linux
platforms. FreeWRL has been released as a Universal Binary for the OS X
platform - it can run natively on both Intel and G4 Apple computers.
FreeWRL can be run standalone, or within most html browsers. FreeWRL can 
also be accessed via both the EAI and SAI interfaces to enable control of
visual content via an external programming interface. FreeWRL is used to
view models built by hand, or generated from other programs, such
as Geant4, Nagios, Wings3d and White-Dune.

Description:

FreeWRL 1.19.3 suffers from memory corruption conditions. Function 
doBrowserAction(), when retrieving the environment variable BROWSER, copies
the data into buffer of an insufficient size. Memory corruption stems from
improper bounds checking. Arbitrary code execution is possible. The 
exploitation would require changing the value of the environment variable.





4. Nonnoi ASP Barcode Arbitrary File Overwrite Vulnerablity
   
========================================================

Introduction:

ASP/Barcode is a server side COM component that allows web developers to
add barcodes to their applications. It supports most standard barcodes :
Code39, Code39Ext, Code128 (A,B,C, Auto), Code93, Code93Extended, MSI, 
PostNet, Codabar, EAN8, EAN13 ,etc.


Description:

ActiveX control (nonnoi_ASPBarcode.dll) allows overwritting of arbitrary
files on the remote machine. Function SaveBarcode(char * filenameA) 
overwrites a file of a name filenameA on the remote machine.






5. Eltima Software VSPAX Remote Denial of Service Vulnerability
   
============================================================

Introduction:

Virtual Serial Port is a powerful advanced ActiveX Control that allows
your application to create custom additional virtual serial port in 
system and fully control it. Created virtual port looks like real 
serial port for other Windows applications. From your application you
can control data sent to virtual com port by other applications and 
respond to them by sending your own data to virtual port, which will
be  received by other Windows applications like from a real one.


Description:

Multiple functions in VSPort.DLL, when improperly used, lead to denial
of service conditions.Vulnerable functions:

Function Attach ( ByVal PortName As String ) As Boolean
Function Write ( ByRef Buffer As Byte ,  ByVal Count As Long ) As Long
Function WriteStr ( ByVal String As String ) As Long





6. Media Player Classic 6.4.9.0 Malformed .FLV Memory Corruption 
   
================================================================

The PoC is available on request. Denial of service conditions. Remote 
code execution might be possible, but this has not been confirmed yet.
   
For more information, please use:

www.eleytt.com






7. Eltima Software RunService AX Multiple Denial of Service Vulnerabilities
   
========================================================================

Introduction:

Run Service ActiveX is a powerful tool for quick creation of Windows 
Service.
All that you have to do is to register the ActiveX Control in your system 
and
place it on the form. Now you may use all the benefits of Windows Services. 
Using this control's methods, events and properties you will be able to 
start
/stop/pause your service, launch application in the new thread, define 
service
group which your  application belongs to, modify service group order 
dependencies etc.


Description:

Multiple function in RunServiceLib (RunService.dll), when improperly used, 
lead to denial of service conditions. One of vulnerable functions is:

Sub AcceptControls ( ByVal Flags As Long ,  ByVal Accept As Boolean )



8. Symantec Norton Ghost FileBackup.DLL Remote Denial of Service
   
==============================================================

Multiple functions in FileBackup.DLL library are prone to remote
denial of service vulnerabilities. PoC exploit takes advantage
of UpdateCatalog(String) function. 





9. Symantec Norton Ghost 12.0 Remote Arbitrary Code Execution
   
==========================================================


Function: Connect(String) in RemoteCommand.DLL library is vulnerable
to a buffer overflow vulnerability. Remote exploitation of the 
vulnerability is probably possible. The WSF exemplary PoC exploit
is available at Eleytt (only on request).




For more information, please use:

www.eleytt.com







10. ActiveReportsExcelReport EXCLEXPT.DLL Library Denial of Service 
    
Vulnerability
    
===============================================================

DDRow (variable Height) when improperly initialized in 
ActiveReportsExcelExport library leads to a denial of service 
conditions. The PoC exploit is available at Eleytt Research.




For more information, please use:

www.eleytt.com






11. NMSDVDXLib Library Multiple Denial of Service Vulnerabilities
    
=============================================================

NMSDVDXU.DLL multiple variables (when improperly initialized) might
lead to denial of service conditions. LoadSegmentWord, PartitionType,
SectorCount and BootFilePath lead to denial of service conditions.


For a PoC exploit, please contact:

www.elett.com






12. InnovaDSXP2.OCX ActiveX Control Multiple Vulnerabilities
    
========================================================

InnovaDSXP2.OCX ActiveX Control is prone to multiple vulnerabilities.
Improper use of SaveToFile function results in denial of service 
conditions.











Eleytt - Company Information
============================

Eleytt Corporation is specialized in penetration testing, vulnerability
development, advanced reverse engineering and exploitation techniques. 
Eleytt provides various  security-related services: risk assessment, 
security policy, security assurance,  incident management, web 
application security testing, continuous security assurance programs. 
Eleytt provides security audits for financial institutions and e-commerce.
Eleytt provides an in-depth security analysis - experienced security
experts analyze your source code, analyze your application, analyze your
web application. Eleytt runs security programs for financial institutons
and e-commerce.

We have the mission to improve the security level of software and web
applications. It is us who help you implement more secure applications.
We help you understand the risk and deploy security solutions. We help
you avoid costly business disruptions. 




These are the questions, which might help you understand how we work:
=====================================================================

Want to get your web site checked for security vulnerabilities?

Your server requires real penetration testing?

Interested in Eleytt Business Continuity Program?

Interested in Eleytt Application Security Program?




For more information, please use:

www.eleytt.com





DISCLAIMER
==========


This document and all the information it contains are provided "as  is",
for  educational  purposes  only,  without warranty of any kind, whether
express or implied.

The authors reserve the right not to be responsible for the  topicality,
correctness,  completeness  or  quality  of the information  provided in
this document. Liability claims regarding damage caused by  the  use  of
any  information  provided,  including  any kind of information which is
incomplete or incorrect, will therefore be rejected.