[Full-disclosure] Webex atucfobj Module ActiveX Control Buffer Overflow Vulnerability

From: "Elazar Broad" <elazar@xxxxxxxxxxxx>
Date: Wed, 06 Aug 2008 13:20:02 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Who:
Webex
http://www.webex.com/

What:
Webex Meeting Manager
http://support.webex.com/support/downloads.html

How:
The Webex Meeting Manager utilizes several ActiveX controls, one of
which is vulnerable to a stack based buffer overflow. The atucfobj
Module contains a single method called NewObject() who's only
parameter is vulnerable to this issue.

This issue has been confirmed in version 20.2008.2601.4928, prior
versions are believed to vulnerable as well.

atucfobj.dll version 20.2008.2601.4928
{32E26FD9-F435-4A20-A561-35D4B987CFDC}

Fix:
The vendor has released version 20.2008.2606.4919 of this control,
which fixes this issue. The control should be updated when the user
joins a meeting.

Workaround:
Set the killbit for the affected control. See
http://support.microsoft.com/kb/240797

Credit:
When I reported this issue to the vendor, they had stated that they
were aware of it, but would not say whether it was the result of an
internal audit or an independent researcher.

Timeline:
06/20/2008 -> Issue reported to the vendor
06/21/2008 <- Vendor responds asking for further details
06/22/2008 -> Details sent with PoC
06/25/2008 <- Vendor responds stating that they are aware of this
issue
08/06/2008 - Disclosure

Elazar

-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQECAAYFAkiZ3PAACgkQi04xwClgpZiyOgP8CM9oC+m3tr5TBU6ZbvacAcq/SqXu
zIUjqfGWz/GNaRRXISzPLrp7aYwepxXL/uxp+zmHR+h0phGOf2FoLmuBY1g3WULmaFu1
oQbGbVfNuS21qH/YvC9mWuOFSeoYOogsyKDGX1Iha6jNDsj5+JlbAIsqk9xwyb021eTm
BpGN3W8=
=tQOJ
-----END PGP SIGNATURE-----

--
Hotel pics, info and virtual tours. Click here to book a hotel online.
http://tagline.hushmail.com/fc/Ioyw6h4eRCkjWyUGURkqKkn8TNo5LNJlfxlxQ4nlv0rtj3ey80N9EU/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] CA Products That Embed Ingres Multiple Vulnerabilities
Next by Date: Re: [Full-disclosure] Media backlash begins against HD Moore and I)ruid
Previous by thread: [Full-disclosure] CA Products That Embed Ingres Multiple Vulnerabilities
Next by thread: [Full-disclosure] [USN-635-1] xine-lib vulnerabilities
Index(es):
- Date
- Thread

Relevant Pages

Re: page fault in igb driver on 8.0-RC2
... <Enhanced SpeedStep Frequency Control> on cpu0 ... vendor = 'Intel Corporation' ... subclass = interrupt controller ...
(freebsd-current)
RE: Blank fields when adding new record to combo box
... If you have a control on your form named Frodo, ... StartDate = StartDate ... you need to requery the combo so it has the new vendor in the ... Private Sub Combo35_NotInList ...
(microsoft.public.access.formscoding)
Re: A form, query and table
... My form is based on three things: vendor name, ... You put Controls on a form, usually one control bound to each field that you ... You are talking about "Table1 is dumped into ComboBox1". ... the Recordsource of your form should be Table4; ...
(microsoft.public.access.gettingstarted)
Re: Change Combo Box on Sub
... had to add the subform to a Control Tab and I'm having a hard time with the ... a Tab Control called TabCtl9 with a Page called Courses ... Vendor on my main form all of the Courses appear in the subform on a single ...
(microsoft.public.access.formscoding)
Re: Erratic Mouse Behavior
... Vendor & Model information would help. ... the Mouse control applet in Control Panel. ... -Different USB port ... This feels like malware but the scan tool ...
(microsoft.public.windowsxp.general)