~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Application: blaxxun3D(blaxxun Platform) Vendors: http://www.blaxxun.com Version: 7 Platforms: Windows Bug: Buffer Overflow Risk: High - Running Arbitary Code At SYSTEM Level Exploitation: Remote with browser Date: 1 Apr 2004 Author: Rafel Ivgi, The-Insider e-mail: the_insider@mail.com web: http://theinsider.deep-ice.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1) Introduction 2) Bugs 3) The Code ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ =============== 1) Introduction =============== blaxxun Platform 7 offers an easy and cost-effective way to for businesses and organizations to develop, deploy and maintain collaborative virtual environments for web community and conferencing applications. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ====== 2) Bug ====== blaxxun Platform 7 registers the following application type: "application/x-cc3d". After the first time the platform was used, this type of object can be created localy & remotely! For Example: The vulnerability appears in the "url" property of the object. Which means that the following assignment: rafi.url = [Long Url - 'A'>255] Will cause a buffer overflow, allowing a remote user to run arbitary code at system level. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ =========== 3) The Code =========== This is Proof Of Concept Code: ------------------- CUT HERE ------------------- ------------------- CUT HERE ------------------- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --- Rafel Ivgi, The-Insider http://theinsider.deep-ice.com "Only the one who sees the invisible , Can do the Impossible."