[Eleytt] 7LIPIEC2007
Eleytt Research
www.eleytt.com
Overview/Credit:
====================
Michal Bucko
www.eleytt.com/michal.bucko
sapheal.hack.pl
Vulnerability Table
===================
1. Firefox 2.0.0.4 Remote Denial of Service Vulnerability
2. Microsoft Register Server Remote Denial of Service Issue
3. FreeWRL 1.19.3 doBrowserAction() Memory Corruption Conditions
4. Nonnoi ASP Barcode Arbitrary File Overwrite Vulnerablity
5. Eltima Software VSPAX Remote Denial of Service Vulnerability
6. Media Player Classic 6.4.9.0 Malformed .FLV Memory Corruption Conditions
7. Eltima Software RunService AX Multiple Denial of Service Vulnerabilities
8. Symantec Norton Ghost 12.0 FileBackup.DLL Remote Denial of Service
9. Symantec Norton Ghost 12.0 Remote Arbitrary Code Execution
10. ActiveReportsExcelReport EXCLEXPT.DLL Library Denial of Service
Vulnerability
11. NMSDVDXLib Library Multiple Denial of Service Vulnerabilities
12. InnovaDSXP2.OCX ActiveX Control Multiple Vulnerabilities
Vulnerability Details
=========================
=========================
1. Firefox 2.0.0.4 Remote Denial of Service Vulnerability
======================================================
Firefox 2.0.0.4 is prone to denial of service vulnerability. The
vulnerability
PoC is available at:
http://sapheal.hack.pl/phun/ff2die/
The latest version of Opera nicely handles the issue. The latest version of
Internet Explorer takes advantage of its Pop-up blocker, and is not
vulnerable.
This is in no way a critical issue - when an amount of tabs opened within
the
popup window is high, FF fails to react properly and crashes.
The PoC provided consists of three files: cool.htm, hack.html, index.html.
The
vulnerability can be trigger in a different way.
2. Microsoft Register Server Remote Denial of Service Issue
================================================================
The PoC is available on request. Denial of service conditions due to null
dereference, code execution is not possible. This probably should not be
called a vulnerability as this issue has probably no security-related
impact.
For more information, please use:
www.eleytt.com
3. FreeWRL 1.19.3 doBrowserAction() Function Memory Corruption Conditions
======================================================================
Introduction:
FreeWRL is an open-source VRML and X3D browser written primarily for the
Linux (Unix) and OS X platforms. FreeWRL runs on both 32 and 64 bit Linux
platforms. FreeWRL has been released as a Universal Binary for the OS X
platform - it can run natively on both Intel and G4 Apple computers.
FreeWRL can be run standalone, or within most html browsers. FreeWRL can
also be accessed via both the EAI and SAI interfaces to enable control of
visual content via an external programming interface. FreeWRL is used to
view models built by hand, or generated from other programs, such
as Geant4, Nagios, Wings3d and White-Dune.
Description:
FreeWRL 1.19.3 suffers from memory corruption conditions. Function
doBrowserAction(), when retrieving the environment variable BROWSER, copies
the data into buffer of an insufficient size. Memory corruption stems from
improper bounds checking. Arbitrary code execution is possible. The
exploitation would require changing the value of the environment variable.
4. Nonnoi ASP Barcode Arbitrary File Overwrite Vulnerablity
========================================================
Introduction:
ASP/Barcode is a server side COM component that allows web developers to
add barcodes to their applications. It supports most standard barcodes :
Code39, Code39Ext, Code128 (A,B,C, Auto), Code93, Code93Extended, MSI,
PostNet, Codabar, EAN8, EAN13 ,etc.
Description:
ActiveX control (nonnoi_ASPBarcode.dll) allows overwritting of arbitrary
files on the remote machine. Function SaveBarcode(char * filenameA)
overwrites a file of a name filenameA on the remote machine.
5. Eltima Software VSPAX Remote Denial of Service Vulnerability
============================================================
Introduction:
Virtual Serial Port is a powerful advanced ActiveX Control that allows
your application to create custom additional virtual serial port in
system and fully control it. Created virtual port looks like real
serial port for other Windows applications. From your application you
can control data sent to virtual com port by other applications and
respond to them by sending your own data to virtual port, which will
be received by other Windows applications like from a real one.
Description:
Multiple functions in VSPort.DLL, when improperly used, lead to denial
of service conditions.Vulnerable functions:
Function Attach ( ByVal PortName As String ) As Boolean
Function Write ( ByRef Buffer As Byte , ByVal Count As Long ) As Long
Function WriteStr ( ByVal String As String ) As Long
6. Media Player Classic 6.4.9.0 Malformed .FLV Memory Corruption
================================================================
The PoC is available on request. Denial of service conditions. Remote
code execution might be possible, but this has not been confirmed yet.
For more information, please use:
www.eleytt.com
7. Eltima Software RunService AX Multiple Denial of Service Vulnerabilities
========================================================================
Introduction:
Run Service ActiveX is a powerful tool for quick creation of Windows
Service.
All that you have to do is to register the ActiveX Control in your system
and
place it on the form. Now you may use all the benefits of Windows Services.
Using this control's methods, events and properties you will be able to
start
/stop/pause your service, launch application in the new thread, define
service
group which your application belongs to, modify service group order
dependencies etc.
Description:
Multiple function in RunServiceLib (RunService.dll), when improperly used,
lead to denial of service conditions. One of vulnerable functions is:
Sub AcceptControls ( ByVal Flags As Long , ByVal Accept As Boolean )
8. Symantec Norton Ghost FileBackup.DLL Remote Denial of Service
==============================================================
Multiple functions in FileBackup.DLL library are prone to remote
denial of service vulnerabilities. PoC exploit takes advantage
of UpdateCatalog(String) function.
9. Symantec Norton Ghost 12.0 Remote Arbitrary Code Execution
==========================================================
Function: Connect(String) in RemoteCommand.DLL library is vulnerable
to a buffer overflow vulnerability. Remote exploitation of the
vulnerability is probably possible. The WSF exemplary PoC exploit
is available at Eleytt (only on request).
For more information, please use:
www.eleytt.com
10. ActiveReportsExcelReport EXCLEXPT.DLL Library Denial of Service
Vulnerability
===============================================================
DDRow (variable Height) when improperly initialized in
ActiveReportsExcelExport library leads to a denial of service
conditions. The PoC exploit is available at Eleytt Research.
For more information, please use:
www.eleytt.com
11. NMSDVDXLib Library Multiple Denial of Service Vulnerabilities
=============================================================
NMSDVDXU.DLL multiple variables (when improperly initialized) might
lead to denial of service conditions. LoadSegmentWord, PartitionType,
SectorCount and BootFilePath lead to denial of service conditions.
For a PoC exploit, please contact:
www.elett.com
12. InnovaDSXP2.OCX ActiveX Control Multiple Vulnerabilities
========================================================
InnovaDSXP2.OCX ActiveX Control is prone to multiple vulnerabilities.
Improper use of SaveToFile function results in denial of service
conditions.
Eleytt - Company Information
============================
Eleytt Corporation is specialized in penetration testing, vulnerability
development, advanced reverse engineering and exploitation techniques.
Eleytt provides various security-related services: risk assessment,
security policy, security assurance, incident management, web
application security testing, continuous security assurance programs.
Eleytt provides security audits for financial institutions and e-commerce.
Eleytt provides an in-depth security analysis - experienced security
experts analyze your source code, analyze your application, analyze your
web application. Eleytt runs security programs for financial institutons
and e-commerce.
We have the mission to improve the security level of software and web
applications. It is us who help you implement more secure applications.
We help you understand the risk and deploy security solutions. We help
you avoid costly business disruptions.
These are the questions, which might help you understand how we work:
=====================================================================
Want to get your web site checked for security vulnerabilities?
Your server requires real penetration testing?
Interested in Eleytt Business Continuity Program?
Interested in Eleytt Application Security Program?
For more information, please use:
www.eleytt.com
DISCLAIMER
==========
This document and all the information it contains are provided "as is",
for educational purposes only, without warranty of any kind, whether
express or implied.
The authors reserve the right not to be responsible for the topicality,
correctness, completeness or quality of the information provided in
this document. Liability claims regarding damage caused by the use of
any information provided, including any kind of information which is
incomplete or incorrect, will therefore be rejected.