NSOADV-2010-009: AnNoText Third-Party ActiveX Control file overwrite vulnerability



______________________________________________________________________
-------------------------- NSOADV-2010-009 ---------------------------

AnNoText Third-Party ActiveX Control file overwrite vulnerability
______________________________________________________________________
______________________________________________________________________

111101111
11111 00110 00110001111
111111 01 01 1 11111011111111
11111 0 11 01 0 11 1 1 111011001
11111111101 1 11 0110111 1 1111101111
1001 0 1 10 11 0 10 11 1111111 1 111 111001
111111111 0 10 1111 0 11 11 111111111 1 1101 10
00111 0 0 11 00 0 1110 1 1011111111111 1111111 11 100
10111111 0 01 0 1 1 111110 11 1111111111111 11110000011
0111111110 0110 1110 1 0 11101111111111111011 11100 00
01111 0 10 1110 1 011111 1 111111111111111111111101 01
01110 0 10 111110 110 0 11101111111111111111101111101
111111 11 0 1111 0 1 1 1 1 111111111111111111111101 111
111110110 10 0111110 1 0 0 1111111111111111111111111 110
111 11111 1 1 111 1 10011 101111111111011111111 0 1100
111 10 110 101011110010 11111111111111111111111 11 0011100
11 10 001100 0001 111111111111111111 10 11 11110
11110 00100 00001 10 1 1111 101010001 11111111
11101 0 1011 10000 00100 11100 00001101 0
0110 111011011 0110 10001 101 11110
1011 1 10 101 000001 01 00
1010 1 11001 1 1 101 10
110101011 0 101 11110
110000011
111
______________________________________________________________________
______________________________________________________________________

Title: AnNoText Third-Party ActiveX Control file
overwrite vulnerability
Severity: Low
Advisory ID: NSOADV-2010-009
Found Date: 18.03.2010
Date Reported: 25.03.2010
Release Date: 11.06.2010
Author: Nikolas Sotiriu
Mail: nso-research at sotiriu.de
Website: http://sotiriu.de/
Twitter: http://twitter.com/nsoresearch
Advisory-URL: http://sotiriu.de/adv/NSOADV-2010-009.txt
Vendor: AnNoText (http://www.annotext.de/)
Affected Products: ADVOMahn Edition 21
Affected Components IDAutomation Linear BarCode V.1.6.0.6
IDautomation PDF417 Barcode V.1.6.0.6
Remote Exploitable: Yes
Local Exploitable: No
Patch Status: unknown (No response from vendor)
Discovered by: Nikolas Sotiriu
Disclosure Policy: http://sotiriu.de/policy.html
Thanks to: Thierry Zoller: For the permission to use his
Policy



Background:
===========

AnNoText is a German Company, which makes Software for lawyers.



Description:
============

During the installation of the ADVOMahn two ActiveX Control will be
installed (IDAutomationLinear6.dll and IDAutomationPDF417_6.dll), in
which the functions "SaveBarCode" and "SaveEnhWMF" can lead to a file
overwrite bug.

Controls:
+--------

Name: IDAutomation Linear BarCode 1.606
Vendor: IDAutomation.com Inc.
Type: ActiveX-Control
Version: 1.6.0.6
GUID: {0C3874AA-AB39-4B5E-A768-45F3CE6C6819}
File: IDAutomationLinear6.dll
Folder: C:\WINDOWS\system32\
Safe for Script: True
Safe for Init: True


Name: IDautomation PDF417 Barcode
Vendor: IDAutomation.com Inc.
Type: ActiveX-Control
Version: 1.6.0.6
GUID: {E97EE6EB-7FBE-43B1-B6D8-C4D86C78C5A0}
File: IDAutomationPDF417_6.dll
Folder: C:\WINDOWS\system32\
Safe for Script: True
Safe for Init: True



Proof of Concept :
==================

http://sotiriu.de/software/NSOPOC-2010-009.zip

(coming soon)



Solution:
=========

Disable the vulnerable ActiveX Control by setting the kill bit for the
following CLSID:

{0C3874AA-AB39-4B5E-A768-45F3CE6C6819}
{E97EE6EB-7FBE-43B1-B6D8-C4D86C78C5A0}

Save the following text as a .REG file and imported to set the kill bit
for this controls:

+--------------------------------------
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{0C3874AA-AB39-4B5E-A768-45F3CE6C6819}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{E97EE6EB-7FBE-43B1-B6D8-C4D86C78C5A0}]
"Compatibility Flags"=dword:00000400

+--------------------------------------

More information about how to set the kill bit is available in Microsoft
Support Document 240797 (http://support.microsoft.com/kb/240797).



Disclosure Timeline (YYYY/MM/DD):
=================================

2010.03.18: Vulnerability found.
2010.03.25: Initial contact by support email address.
2010.03.29: Second contact by support, info and vertrieb (sales) email
address. Sent the Notification and Disclosure Policy and
the release date (2010.04.08).
2010.03.29: Initial Vendor response.
2010.03.30: Sent PoC, Advisory, Disclosure policy and planned disclosure
date (2010.04.08) to Vendor
2010.04.08: Ask for a status update, because the planned release date is
2010.04.08.
[-] No Response
2010.04.12: Set Release Date to 2010.04.15.
2010.04.08: Ask for a status update, because the planned release date is
2010.04.15.
[-] No Response
2010.04.15: Set Release Date to 2010.04.22.
2010.04.16: Vendor informed me that the vulnerability is a third party
issue and AnNoText contacted them.
2010.05.20: Asked if AnNoText already got a fixed version of the third
party component.
[-] No Response
2010.06.08: Informed AnNoText that the final release date is now the
2010.06.10
[-] No Response
2010.06.11: Release of this Advisory on my website
2010.06.19: Release of this Advisory on full-disc and Bugtraq



Relevant Pages