Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] BitDefender Online Scanner 8 Double Decode Heap Overflow

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] BitDefender Online Scanner 8 Double Decode Heap Overflow
Date: 26 Nov 2007 10:44:03 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  BitDefender Online Scanner 8 Double Decode Heap Overflow
------------------------------------------------------------------------


SUMMARY

eEye Digital Security has discovered a critical remote code execution 
condition within OScan8.ocx and Oscan81.ocx included by default in 
BitDefender Online Anti-Virus Scanner 8.0 released on May 24th 2006. 
OScan.ocx is the main ActiveX component for BitDefender's Anti-Virus 
Scanner and is initialized by Internet Explorer or any other ActiveX 
compatible products. After this file is initialized, it generates the GUI 
for the scanner and manages all User-issued commands. Oscan.ocx has also 
an internal website verification system to prevent the ActiveX control 
from being initialized outside of an authorized domain. Unfortunately due 
to a lack of data-sanitization, OScan.ocx can be forced to be initialized 
in an unsafe domain and it can be manipulated to corrupt arbitrary memory 
locations with user supplied values. This could allow a memory corruption 
scenario that would lead to arbitrary code execution or denial of service 
conditions.

DETAILS

A remote vulnerability lies within a malformed request sent to 
BitDefender's Online Anti-Virus Scanner ActiveX Controller, OScan.ocx. 
OScan.ocx's vulnerable function, InitX, is the only function that accepts 
user-supplied data and is required to initialize the control for its use. 
The function InitX takes a string argument value of bstrLocation and is 
used to verify the calling domain. The IDL for InitX resembles the 
following:

        Function InitX
        {
                ByVal bstrLocation as String
        } As Boolean

This feature is used to safeguard the ActiveX control and prevent it from 
being initialized outside of authorized domains. Users may submit requests 
to host this control on their site and they are given an initialization 
key. Referencing the BitDefender website you can see that their domain is 
being processed with the following hex-value key:

        
AvxUI.InitX('000000408E45E3394593BF66F0C93C6CF90AF0F0AB417E17657D7F328A2
312ACBE0B139EF3EBFB69939B1C3B24D8BC392D752B8408EAACCD809B94D38B8F9B5E97B
1C1A6')

After this domain key is processed and verified the control would 
initialize and accept user commands and begin scanning files. However a 
double-decoding vulnerability is present when processing Unicode values 
passed to the vulnerable function as a domain key. This vulnerability is 
triggered prior to the domain validation by prepending two "%" (0x25) 
characters to domain key value. This causes OScan.ocx to double-encode the 
parameter from Unicode and allocate arbitrary memory. By combining this 
method with an overly long string, a heap-based memory corruption scenario 
will result. This heap-overflow allows arbitrary values from the 
user-supplied malformed string to overwrite memory within Internet 
Explorer or the host ActiveX process. Although the attacker does not 
control the location of where the memory overwrite occurs, the 
vulnerability has a tendency to overwrite pointers that are later called 
by Internet Explorer or the host ActiveX process and thus arbitrary code 
execution is possible.

Vendor Status:
BitDefender has released an update mitigating this vulnerability in the 
form of Oscan82.ocx. Users can download the updated Online BitDefender 
Scanner Here:  <http://www.bitdefender.com/scan8/ie.html> 
http://www.bitdefender.com/scan8/ie.html

Although the vulnerable ActiveX controls will still remain on a 
workstation after revisiting the site, they are no longer referenceable.


ADDITIONAL INFORMATION

The information has been provided by Greg Linares.
The original article can be found at:  
<http://research.eeye.com/html/advisories/published/AD20071120.html> 
http://research.eeye.com/html/advisories/published/AD20071120.html



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] BitDefender Online Scanner 8 Double Decode Heap Overflow, SecuriTeam <=
Previous by Date:  [NEWS] Multiple Vulnerabilities in .FLAC File Format and Various Media Applications, SecuriTeam
Next by Date:  [UNIX] Wordpress Cookie Authentication Vulnerability, SecuriTeam
Previous by Thread:  [NEWS] Multiple Vulnerabilities in .FLAC File Format and Various Media Applications, SecuriTeam
Next by Thread:  [UNIX] Wordpress Cookie Authentication Vulnerability, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]