Aladdin Knowledge System Ltd. PrivAgent ActiveX Control 2.0 Multiple Remote Vulnerabilities
October 26, 2012 Leave a comment
This ocx seems to be really poor coded. I’ve found so many errors that I felt too choosy (yes Mrs. Elsa Fornero, I AM choosy and I AM proud of it) to test any other method.
Below there’s a list of stack-based buffer overflow and insecure file download. A proof of concept, which exploits a good old fashioned (or trivial, if you like) stack based buffer overflow triggered simply passing to the “ChooseFilePath” method a string longer than 268 bytes, is available here http://shinnai.altervista.org/exploits/SH-021-20121026.html. In this case, after a memory reading exception, we are in full control of EIP.
Here it is the list of vulnerable methods, guess which ones are vulnerable to arbitrary file download? 
#1
Function DownloadLicense (
ByVal sURL As String ,
ByVal sPath As String ,
ByVal bInstall As Boolean
) As Long
#2
Function ChooseFilePath (
ByVal sFileName As String
) As String
#3
Function InstallLicense (
ByVal szLicensePath As String
) As Long
#4
Function InstallPrivilege (
ByVal szInstFilePath As String
) As Long
#4
Function DownloadPrivilege (
ByVal szURL As String ,
ByVal szTargetDir As String ,
ByVal bInstall As Boolean
) As Long
#4
Function InstallDevExt (
ByVal szDevExtPath As String
) As Long
#5
Function DownloadDevExt (
ByVal szURL As String ,
ByVal szTargetPath As String ,
ByVal bInstall As Boolean
) As LongBe safe and happy hunting.
