AVTECH Software (AVC781Viewer.dll) ActiveX Multiple Remote Vulnerabilities

Title: AVTECH Software (AVC781Viewer.dll) ActiveX Multiple Remote Vulnerabilities
Advisory ID: ZSL-2010-4934
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 19.04.2010
Summary
AVTECH Software, a private corporation founded in 1988, is a computer software and hardware manufacturer specializing in providing Windows NT/2K/XP/2K3 products to monitor multi-OS computers and network issues throughout a department or an entire enterprise. Once issues or events occur, AVTECH Software products use today's most advanced alerting technologies to communicate critical and important status information to remote system managers and IT professionals via mobile phones, pagers, PDAs, email, the web and more. Automatic corrective actions can also be taken to immediately resolve issues, run scripts, and shutdown/restart servers or applications.

AVTECH Software is now the premier worldwide manufacturer of environment monitoring equipment specifically designed to monitor today's advanced computer rooms and data centers. Our Room Alert and TemPageR products are used to monitor environmental conditions in many of the world's most secure data centers and are installed in almost every branch of the US government.
Description
AVTECH Software's AVC781Viewer ActiveX Control suffers from multiple remote vulnerabilities such as buffer overflow, integer overflow and denial of service (IE crash). This issue is triggered when an attacker convinces a victim user to visit a malicious website.

Remote attackers may exploit this issue to execute arbitrary machine code in the context of the affected application, facilitating the remote compromise of affected computers. Failed exploit attempts likely result in browser crashes.

--------------------------------------------------------------------------------

(265c.26b4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00fe46f0 ebx=00000000 ecx=baadf00d edx=0000001f esi=baadf00d edi=0013f030
eip=10019003 esp=0013ed2c ebp=0013eef4 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
*** WARNING: Unable to verify checksum for C:\WINDOWS\system32\AVC_AX_724_VIEWER.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for AVC_AX_724_VIEWER.dll -
AVC_AX_724_VIEWER+0x19003:
10019003 837e3c65 cmp dword ptr [esi+3Ch],65h ds:0023:baadf049=????????

--------------------------------------------------------------------------------

Vendor
AVTECH Software, Inc. - http://www.avtech.com
Affected Version
1.0.9.4
Tested On
Microsoft Windows XP Professional Service Pack 3 (English)
Microsoft Internet Explorer 8.0.6001.18702
Vendor Status
N/A
PoC
avtech_ax.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://www.exploit-db.com/exploits/12294
[2] http://securityreason.com/securityalert/7260
[3] http://securityreason.com/exploitalert/8132
[4] http://www.packetstormsecurity.org/filedesc/ZSL-2010-4934.txt.html
[5] http://www.hackbase.com/tech/2010-04-21/59934.html
[6] http://www.vfocus.net/art/20100420/6979.html
[7] http://xforce.iss.net/xforce/xfdb/57939
Changelog
[19.04.2010] - Initial release
[20.04.2010] - Added reference [4]
[21.04.2010] - Added reference [5], [6] and [7]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk