Aladdin Knowledge System Ltd. PrivAgent ActiveX Control 2.0 Multiple Remote Vulnerabilities
October 26, 2012 Leave a comment
This ocx seems to be really poor coded. I’ve found so many errors that I felt too choosy (yes Mrs. Elsa Fornero, I AM choosy and I AM proud of it) to test any other method.
Below there’s a list of stack-based buffer overflow and insecure file download. A proof of concept, which exploits a good old fashioned (or trivial, if you like) stack based buffer overflow triggered simply passing to the “ChooseFilePath” method a string longer than 268 bytes, is available here http://shinnai.altervista.org/exploits/SH-021-20121026.html. In this case, after a memory reading exception, we are in full control of EIP.
Here it is the list of vulnerable methods, guess which ones are vulnerable to arbitrary file download?
#1 Function DownloadLicense ( ByVal sURL As String , ByVal sPath As String , ByVal bInstall As Boolean ) As Long #2 Function ChooseFilePath ( ByVal sFileName As String ) As String #3 Function InstallLicense ( ByVal szLicensePath As String ) As Long #4 Function InstallPrivilege ( ByVal szInstFilePath As String ) As Long #4 Function DownloadPrivilege ( ByVal szURL As String , ByVal szTargetDir As String , ByVal bInstall As Boolean ) As Long #4 Function InstallDevExt ( ByVal szDevExtPath As String ) As Long #5 Function DownloadDevExt ( ByVal szURL As String , ByVal szTargetPath As String , ByVal bInstall As Boolean ) As Long
Be safe and happy hunting.