~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Application: Panda ActiveScan Vendors: http://www.activescan.com http://www.pandasoftware.com/activescan/com/activescan_principal.htm Version: 5.0 Platforms: Windows Bug: Buffer Overflow and A Crash(D.O.S) Risk: High - Running Arbitary Code At SYSTEM Level Exploitation: Remote with browser Date: 1 Apr 2004 Author: Rafel Ivgi, The-Insider e-mail: the_insider@mail.com web: http://theinsider.deep-ice.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1) Introduction 2) Bugs 3) The Code ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ =============== 1) Introduction =============== Panda ActiveScan 5.0 is a free tool for detecting and eliminating viruses. It Detects and eliminates more than 66.000 viruses. It Scans for viruses in e-mails and compressed files. It Updated every day. It Warns when new viruses appear. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ====== 2) Bug ====== Panda ActiveScan 5.0 installs and registers "ascontrol.dll" which contains the following COM objects: ASControl Type Library: {A52FF42A-9D92-4C41-B3B7-87EBB1B84839} ASControl.ReportHebrew.1(any language) - {237AFA6B-D75C-445B-9D87-68DB699FAB32} ASControls.InstallEngineCtl.1 - {6E449683-C509-11CF-AAFA-00AA00B6015C} ASControl.Seleccion.1 - {6CEC0297-FAFB-41FB-97EA-77E3081B1DFE} ASControl.Lista.1 - {4826196E-5CD9-4029-A1D3-789D4651D2C2} ASControl.ControlConexion.1 - {6FDCDD41-6C97-4A3B-9E6D-0144B66A1CE4} After the first time ActiveScan was used, this type of object can be created localy & remotely! This will probably effect all other languages report object. For Example: Set object = CreateObject("ASControl.ReportHebrew.1" ) The vulnerability appears in the "Internacional" property of the object. Which means that the following assignment: object.Internacional = [Long String - 'A'>255] Will cause a buffer overflow, allowing a remote user to run arbitary code at system level. Another vulnerability appears in the "SetSitesFile" function of the Install Engine obect. Set object = CreateObject("ASControls.InstallEngineCtl.1" ) The function recieves the following parameters: object.SetSitesFile(url as string{must exist}, Region as const, language as const) However, the use of this function crashes the software. Which means that the following assignment: Set object = CreateObject("ASControls.InstallEngineCtl.1" ) object.SetSitesFile "http://rafiwarez.tripod.com/ncx.exe", ASIA, hebrew Will cause a crash the software to crash and will close that Internet Explorer Window. * Addon: Panda Antivirus Titanium 7 fails to offer scanning by shell integration(right mouse button menu) to non-alphabetic chars. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ =========== 3) The Code =========== This is Proof Of Concept Code: ------------------- CUT HERE ------------------- ------------------- CUT HERE ------------------- And ------------------- CUT HERE ------------------- ------------------- CUT HERE ------------------- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --- Rafel Ivgi, The-Insider http://theinsider.deep-ice.com "Only the one who sees the invisible , Can do the Impossible."