[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] ChemViewX ActiveX Control Mutliple Stack Overflows
- To: <paul.craig@xxxxxxxxxxxxxxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] ChemViewX ActiveX Control Mutliple Stack Overflows
- From: Rosa Maria Gonzalez Pereira <analuis13@xxxxxxxxxxx>
- Date: Fri, 12 Feb 2010 10:49:40 -0400
Porque hablan tanto de vulnerabilidad y no entiendo como es que su informacion
llega tan fácil a mi buzon de correo
___________________________________________
> From: paul.craig@xxxxxxxxxxxxxxxxxxxxxxx
> To: full-disclosure@xxxxxxxxxxxxxxxxx
> Date: Fri, 12 Feb 2010 13:25:51 +1300
> Subject: [Full-disclosure] ChemViewX ActiveX Control Mutliple Stack Overflows
>
>
> ( , ) (,
> . `.' ) ('. ',
> ). , ('. ( ) (
> (_,) .`), ) _ _,
> / _____/ / _ \ ____ ____ _____
> \____ \==/ /_\ \ _/ ___\/ _ \ / \
> / \/ | \\ \__( <_> ) Y Y \
> /______ /\___|__ / \___ >____/|__|_| /
> \/ \/.-. \/ \/:wq
> (x.0)
> '=.|w|.='
> _='`"``=.
>
> presents..
>
> ChemviewX ActiveX Control Multiple Stack Overflows
> Versions affected: v1.9.5
>
> +-----------+
> |Description|
> +-----------+
>
> Hyleos ChemviewX is a free ActiveX control used to visualize chemical
> structures made from MDL or MOL files. The control is commonly used by
> university students, organic and inorganic chemists, and chemical engineers.
>
> The ClassID of the object is {C372350A-1D5A-44DC-A759-767FC553D96C} and
> the control is marked safe for scripting.
> Two stack overflows were discovered in the ActiveX control, both
> overflow conditions can be used to gain command execution.
>
> +------------+
> |Exploitation|
> +------------+
>
> Both stack overflow conditions relate to a fixed length buffer being used to
> remove excessive whitespace characters from supplied file paths.
>
> The methods SaveasMolFile and ReadMolFile are both vulnerable to
> a stack overflow condition which can be reached when supplying
> more than 400 white-space characters in the filename argument.
>
> Both tab and space characters can be used to trigger the overflow condition.
> The 401-404th byte will result in the overflow of the call stack return
> address.
> Both vulnerabilities can be used to gain command execution when combined
> with a JavaScript heap spray when jumping into a pre-allocated heap.
>
> +--------+
> |Solution|
> +--------+
>
> The vendor was contacted multiple times over a two month period without any
> response.
> Use of this control is not suggested as it appears to be unmaintained.
> If you use this ActiveX control consider setting the kill bit for the
> control’s
> Classid ({C372350A-1D5A-44DCA759-767FC553D96C}), or uninstalling the control.
>
> +------+
> |Credit|
> +------+
>
> Discovered and advised to Hyleos in December 2009 by Paul Craig -
> Security-Assessment.com
> This advisory is also available from our website:
> http://www.security-assessment.com/files/advisories/2010-02-11_ChemviewX_Activex.pdf
>
> Security-Assessment.com is a New Zealand based world leader in web
> application testing, network security
> and penetration testing. Security-Assessment.com works with organisations
> across New Zealand, Australia,
> Asia Pacific, the United States and the United Kingdom.
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_________________________________________________________________
Explore the seven wonders of the world
http://search.msn.com/results.aspx?q=7+wonders+world&mkt=en-US&form=QBRE_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/