[NT] BitDefender Online Scanner 8 Double Decode Heap Overflow



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



BitDefender Online Scanner 8 Double Decode Heap Overflow
------------------------------------------------------------------------


SUMMARY

eEye Digital Security has discovered a critical remote code execution
condition within OScan8.ocx and Oscan81.ocx included by default in
BitDefender Online Anti-Virus Scanner 8.0 released on May 24th 2006.
OScan.ocx is the main ActiveX component for BitDefender's Anti-Virus
Scanner and is initialized by Internet Explorer or any other ActiveX
compatible products. After this file is initialized, it generates the GUI
for the scanner and manages all User-issued commands. Oscan.ocx has also
an internal website verification system to prevent the ActiveX control
from being initialized outside of an authorized domain. Unfortunately due
to a lack of data-sanitization, OScan.ocx can be forced to be initialized
in an unsafe domain and it can be manipulated to corrupt arbitrary memory
locations with user supplied values. This could allow a memory corruption
scenario that would lead to arbitrary code execution or denial of service
conditions.

DETAILS

A remote vulnerability lies within a malformed request sent to
BitDefender's Online Anti-Virus Scanner ActiveX Controller, OScan.ocx.
OScan.ocx's vulnerable function, InitX, is the only function that accepts
user-supplied data and is required to initialize the control for its use.
The function InitX takes a string argument value of bstrLocation and is
used to verify the calling domain. The IDL for InitX resembles the
following:

Function InitX
{
ByVal bstrLocation as String
} As Boolean

This feature is used to safeguard the ActiveX control and prevent it from
being initialized outside of authorized domains. Users may submit requests
to host this control on their site and they are given an initialization
key. Referencing the BitDefender website you can see that their domain is
being processed with the following hex-value key:


AvxUI.InitX('000000408E45E3394593BF66F0C93C6CF90AF0F0AB417E17657D7F328A2
312ACBE0B139EF3EBFB69939B1C3B24D8BC392D752B8408EAACCD809B94D38B8F9B5E97B
1C1A6')

After this domain key is processed and verified the control would
initialize and accept user commands and begin scanning files. However a
double-decoding vulnerability is present when processing Unicode values
passed to the vulnerable function as a domain key. This vulnerability is
triggered prior to the domain validation by prepending two "%" (0x25)
characters to domain key value. This causes OScan.ocx to double-encode the
parameter from Unicode and allocate arbitrary memory. By combining this
method with an overly long string, a heap-based memory corruption scenario
will result. This heap-overflow allows arbitrary values from the
user-supplied malformed string to overwrite memory within Internet
Explorer or the host ActiveX process. Although the attacker does not
control the location of where the memory overwrite occurs, the
vulnerability has a tendency to overwrite pointers that are later called
by Internet Explorer or the host ActiveX process and thus arbitrary code
execution is possible.

Vendor Status:
BitDefender has released an update mitigating this vulnerability in the
form of Oscan82.ocx. Users can download the updated Online BitDefender
Scanner Here: <http://www.bitdefender.com/scan8/ie.html>
http://www.bitdefender.com/scan8/ie.html

Although the vulnerable ActiveX controls will still remain on a
workstation after revisiting the site, they are no longer referenceable.


ADDITIONAL INFORMATION

The information has been provided by Greg Linares.
The original article can be found at:
<http://research.eeye.com/html/advisories/published/AD20071120.html>
http://research.eeye.com/html/advisories/published/AD20071120.html



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [NT] Kaspersky Web Scanner ActiveX Format String Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Kaspersky Web Scanner ActiveX Format String Vulnerability ... Remote exploitation of a format string vulnerability in Kaspersky Lab's ... The ActiveX control in question has the following ...
    (Securiteam)
  • [NT] Juniper Networks SSL-VPN Client Buffer Overflow
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Juniper Networks SSL-VPN Client Buffer Overflow ... JuniperSetup.ocx ActiveX control is automatically loaded ... The vulnerability exists in JuniperSetupDLL.dll which is loaded from ...
    (Securiteam)
  • [NT] GraceNote CDDBControl ActiveX Buffer Overflow Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... GraceNote CDDBControl ActiveX Buffer Overflow Vulnerability ... The specific flaw exists due to a buffer overflow in an ActiveX control ...
    (Securiteam)
  • [NT] BearShare NCTAudioFile2 ActiveX Control Buffer Overflow
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... BearShare NCTAudioFile2 ActiveX Control Buffer Overflow ... The vulnerability is caused due to a boundary error in the ... Successful exploitation allows execution of arbitrary code when a user ...
    (Securiteam)
  • [UNIX] Trend Micro VirusWall Buffer Overflow in VSAPI Library
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... buffer overflow vulnerability in VSAPI library allows arbitrary code ... is called "vscan" which is set suid root by default. ... permissions and thus granted all local users the privilege to execute the ...
    (Securiteam)