[NT] AOL AmpX ActiveX Control Multiple Buffer Overflow Vulnerabilities



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



AOL AmpX ActiveX Control Multiple Buffer Overflow Vulnerabilities
------------------------------------------------------------------------


SUMMARY

America Online's <http://music.aol.com/radioguide/bb/> AmpX is an ActiveX
control associated with AOL Radio. It is typically used for embedding
streaming audio content in web pages.

Remote exploitation of multiple buffer overflow vulnerabilities in AOL's
AmpX ActiveX control could allow attackers to execute arbitrary code with
the credentials of the user visiting a malicious website.

DETAILS

Vulnerable Systems:
* America Online's AmpX.dll version 2.6.1.11
(Other versions are suspected to be vulnerable)

Several methods within the vulnerable ActiveX control (CLSID
B49C4597-8721-4789-9250-315DFBD9F525) were found to be vulnerable to
stack-based buffer overflows. In each case, variable length attacker
supplied data is copied into a fixed-size stack buffer using the strcpy()
function. Since no input validation is performed, it is possible to
corrupt stack memory, resulting in an exploitable condition.

Exploitation allows an attacker to execute arbitrary code in the context
of the user viewing a malicious web page. In order to be successful, the
attacker must persuade a user with the vulnerable control installed into
viewing a malicious web page. No further interaction is required.

Workaround:
In order to prevent exploitation of this vulnerability, an administrator
can set the kill-bit for the vulnerable control. While this does not fix
the vulnerability, it does prevent the control from being loaded in
Internet Explorer.

Vendor Status:
"An updated version of AOL Radio with enhanced security features is now
available. AOL recommends that you download and install the update to get
the best and most secure performance from AOL Radio. If you use AIM or
other AOL software, you will automatically receive a prompt to update AOL
Radio and you do not need to download and install this update now.
Otherwise, please download the update from the URL below and double-click
on the file to finish updating AOL Radio:
<http://radaol-prod-web-rr.streamops.aol.com/mediaplugin/unagi_patch.exe>
http://radaol-prod-web-rr.streamops.aol.com/mediaplugin/unagi_patch.exe";

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5755>
CVE-2007-5755


ADDITIONAL INFORMATION

The information has been provided by iDefense.
The original article can be found at:

<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=623>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=623



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [NT] CA ARCServe Backup for Laptops and Desktops Multiple Buffer Overflow Vulnerabilities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... CA ARCServe Backup for Laptops and Desktops Multiple Buffer Overflow ... Remote exploitation of multiple buffer overflow vulnerabilities in ... rxsGetSubDirs, rxsGetServerDBPathName, rxsSetServerOptions, rxsDeleteFile, ...
    (Securiteam)
  • [NT] Novell eDirectory Multiple Vulnerabilities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Novell eDirectory Multiple Vulnerabilities ... Three different vulnerabilities were discovered in Novell's eDirectory ... NCP over IP length Heap Overflow: ...
    (Securiteam)
  • [UNIX] Apache HTTPD suEXEC Multiple Vulnerabilities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Apache HTTPD suEXEC Multiple Vulnerabilities ... Local exploitation of multiple vulnerabilities within Apache Software ... Foundation's suexec utility could allow an attacker to execute arbitrary ...
    (Securiteam)
  • [NEWS] Multiple Vendor ImageMagick DCM and XWD Buffer Overflow Vulnerabilities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Multiple Vendor ImageMagick DCM and XWD Buffer Overflow Vulnerabilities ...
    (Securiteam)
  • [NT] Multiple Vendor NOS Microsystems getPlus Downloader Stack Buffer Overflow Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... download, install, and update other software through the browser. ... Adobe uses this control ... for web based installations of Adobe Reader. ...
    (Securiteam)